[Freeipa-users] Configuration of CA failed
Hello, I've been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool, however, when trying to install I keep getting this error about configuration of CA: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.LOCAL -ca_audit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255 Configuration of CA failed I'm including two install logs, one with dns-setup and the other without it. Don't really know what I'm doing wrong, thought maybe I should allow connections to certain ports in ip tables or something but have no clue really and I'm quite new to this, help please.. Regards, Remigio ipaserver-install.log Description: ipaserver-install.log ipaserver-install1.log Description: ipaserver-install1.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of CA failed
On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote: > Hello, > > I've been put in charge of implementing a solution that uses LDAP and > kerberos authentication. At first thought I should use openLDAP and Kerberos > but found freeIPA and looks really cool, however, when trying to install I > keep getting this error about configuration of CA: > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > ipa : CRITICAL Failed to restart the directory server. See the > installation log for details. > Done configuring directory server for the CA (pkids). > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl > /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port > 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd > -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin > -admin_email root@localhost -admin_password -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port > 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca > -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA > -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name > internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL > -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.L! OCAL -ca_a udit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255 > Configuration of CA failed > > I'm including two install logs, one with dns-setup and the other without it. > Don't really know what I'm doing wrong, thought maybe I should allow > connections to certain ports in ip tables or something but have no clue > really and I'm quite new to this, help please.. > > Regards, > > Remigio Hello, What platform are you using (Fedora? CentOS? RHEL?) and what version of FreeIPA are you using? Also, I following error in the log java.net.ConnectException: Connection refused So it seems some port is occupied. Is your port 8443 occupied? Maybe by running httpd daemon before the installation? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of CA failed
On 14/05/15 11:58, Remigio Moncayo Serrano wrote: Hello, I’ve been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool, however, when trying to install I keep getting this error about configuration of CA: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.LOCAL -ca_audit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255 Configuration of CA failed I’m including two install logs, one with dns-setup and the other without it. Don’t really know what I’m doing wrong, thought maybe I should allow connections to certain ports in ip tables or something but have no clue really and I’m quite new to this, help please.. Regards, Remigio Hello, can you please check error logs of DS? /var/log/dirsrv/slapd-*/errors And please post here an error why DS restart failed. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of CA failed
On 14/05/15 13:54, Remigio Moncayo Serrano wrote: I fail to see the problem in the logs so I’m attaching the file here *De:*Martin Basti [mailto:mba...@redhat.com] *Enviado el:* jueves, 14 de mayo de 2015 13:05 *Para:* Remigio Moncayo Serrano; freeipa-users@redhat.com *Asunto:* Re: [Freeipa-users] Configuration of CA failed On 14/05/15 11:58, Remigio Moncayo Serrano wrote: Hello, I’ve been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool, however, when trying to install I keep getting this error about configuration of CA: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.LOCAL -ca_audit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255 Configuration of CA failed I’m including two install logs, one with dns-setup and the other without it. Don’t really know what I’m doing wrong, thought maybe I should allow connections to certain ports in ip tables or something but have no clue really and I’m quite new to this, help please.. Regards, Remigio Hello, can you please check error logs of DS? /var/log/dirsrv/slapd-*/errors And please post here an error why DS restart failed. Martin -- Martin Basti indeed, log looks good. There is some issue that IPA cannot verify DS on port 7389. Can you answer the questions asked by Martin Kosek, please? Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of CA failed
On 05/14/2015 01:02 PM, Martin Kosek wrote: On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote: Hello, I've been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool, however, when trying to install I keep getting this error about configuration of CA: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.! L! OCAL -ca_a udit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255 Configuration of CA failed I'm including two install logs, one with dns-setup and the other without it. Don't really know what I'm doing wrong, thought maybe I should allow connections to certain ports in ip tables or something but have no clue really and I'm quite new to this, help please.. Regards, Remigio Hello, What platform are you using (Fedora? CentOS? RHEL?) and what version of FreeIPA are you using? We still have not received answer for that part, though it is obvious the platform will be something RHEL-6.x derived. Also, I following error in the log java.net.ConnectException: Connection refused So it seems some port is occupied. Is your port 8443 occupied? Maybe by running httpd daemon before the installation? Martin Looking at the dirsrv log that Remigio sent me privately, it does not look that 8443 is to blame. It is, however, really strange that ipaserver-install.log reports that DS restart fails with following error, even though DS says it is listening on that port: 2015-05-14T09:28:49Z CRITICAL Failed to restart the directory server. See the installation log for details. Could it be maybe a SELinux based problem? You can check for AVCs with # ausearch -m avc -ts today Final suggestion: this does not solve the root cause, but I would really suggest doing the installation on RHEL/CentOS 7.1 as it contains FreeIPA 4.1 which is much better than the old FreeIPA 3.0 present in RHEL-6.x. This is our general recommendation for new deployments anyway. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
