bahan w wrote:
Hello everyone.I modified the /etc/selinux/config file : ######################################################### # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted ######################################################### Then I rebooted. ######################################################### reboot ######################################################### Here is the result of getenforce : ######################################################### Permissive ######################################################### I removed the ipa-server that I had and I tried te 3.0.0-42 : ######################################################### yum install ipa-server-3.0.0-42.el6.x86_64 Loaded plugins: security Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for package: ipa-server-3.0.0-42.el6.x86_64 --> Running transaction check ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================== Installing: ipa-server x86_64 3.0.0-42.el6 standard 1.1 M Installing for dependencies: ipa-admintools x86_64 3.0.0-42.el6 standard 67 k ipa-client x86_64 3.0.0-42.el6 standard 145 k ipa-python x86_64 3.0.0-42.el6 standard 928 k ipa-server-selinux x86_64 3.0.0-42.el6 standard 66 k Transaction Summary ====================================================================================================================================== Install 5 Package(s) Total download size: 2.3 M Installed size: 9.2 M Is this ok [y/N]: y Downloading Packages: (1/5): ipa-admintools-3.0.0-42.el6.x86_64.rpm | 67 kB 00:00 (2/5): ipa-client-3.0.0-42.el6.x86_64.rpm | 145 kB 00:00 (3/5): ipa-python-3.0.0-42.el6.x86_64.rpm | 928 kB 00:00 (4/5): ipa-server-3.0.0-42.el6.x86_64.rpm | 1.1 MB 00:00 (5/5): ipa-server-selinux-3.0.0-42.el6.x86_64.rpm | 66 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------- Total 6.8 MB/s | 2.3 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ipa-python-3.0.0-42.el6.x86_64 1/5 Installing : ipa-client-3.0.0-42.el6.x86_64 2/5 Installing : ipa-admintools-3.0.0-42.el6.x86_64 3/5 Installing : ipa-server-3.0.0-42.el6.x86_64 4/5 Installing : ipa-server-selinux-3.0.0-42.el6.x86_64 5/5 libsepol.print_missing_requirements: ipa_dogtag's global requirements were not met: type/attribute pki_ca_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Verifying : ipa-server-3.0.0-42.el6.x86_64 1/5 Verifying : ipa-server-selinux-3.0.0-42.el6.x86_64 2/5 Verifying : ipa-python-3.0.0-42.el6.x86_64 3/5 Verifying : ipa-client-3.0.0-42.el6.x86_64 4/5 Verifying : ipa-admintools-3.0.0-42.el6.x86_64 5/5 Installed: ipa-server.x86_64 0:3.0.0-42.el6 Dependency Installed: ipa-admintools.x86_64 0:3.0.0-42.el6 ipa-client.x86_64 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6 ipa-server-selinux.x86_64 0:3.0.0-42.el6 Complete! ######################################################### The errors linked with dogtag is still there. Now, when I tried to run the ipa-server-install command here is what I have : ######################################################### Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM -ca_server_cert_subject_name CN=MYHOST,O=MYREALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external false -clone false' returned non-zero exit status 255 Configuration of CA failed ######################################################### And here is what I found in the ipasrever-install.log : ######################################################### 2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.<init>(Socket.java:392) at java.net.Socket.<init>(Socket.java:235) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) 2015-06-01T07:38:43Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM -ca_server_cert_subject_name CN=MYHOST,O=MYREALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM -external false -clone false' returned non-zero exit status 255 2015-06-01T07:38:43Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2015-06-01T07:38:43Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed ######################################################### I'm not really sure permissive mode with SELinux is helping in fact.
I'd poke around in the CA logs in /var/log/pki-ca. It may be that the CA isn't really starting up, or the web app isn't starting. There are a lot of red herrings in the logs, and things can cascade, so I'd start at the top and work my way down.
rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
