<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 9, 2014 at 10:41 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">Olga Kornievskaia wrote:<br>
><br>
><br>
> On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
><br>
> On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:<br>
>> Thank you very much for your quick reply.<br>
>><br>
>> It is a brand new fedora 20 vm.<br>
><br>
> OK good.<br>
> Can you send or share the ipa server installation log?<br>
><br>
><br>
> Can you please suggest how I can do that? My original post was rejected<br>
> by the administrator of this list because I've included the install log<br>
> that compressed was over 5M.<br>
<br>
</span>If you have a web/ftp server available you can put it there for download.<br></blockquote><div><br></div><div>I have put the files in google drive and they should be accessible via this link:</div><div>freeipa-install-logs - <a href="https://drive.google.com/folderview?id=0B7NX-2naBL7GWXVIOS11YnZLZWM&usp=sharing">https://drive.google.com/folderview?id=0B7NX-2naBL7GWXVIOS11YnZLZWM&usp=sharing</a></div><div><br></div><div>Please let me know if there are problems accessing it.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
I'd look at the catalina.* logs in /var/log/pki/pki-tomcat and debug in<br>
the ca subdirectory. Those are more likely to hold startup failures.<br></blockquote><div><br></div><div>I have included the "debug", "ca-spawn", and snippet of "journalctl" output files. Personally, I wasn't able to find any error messages in there. </div><div><br></div><div>Thank you.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
journalctl may hold information on why it didn't start too.<br>
<br>
Incidentally, the second problem is likely related to the first. The<br>
installation didn't succeed so the system state is indeterminate.</blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
rob<br>
<span class=""><br>
><br>
><br>
> Are you using a cert from AD and trying to chain to an AD CA?<br>
><br>
><br>
> I'm not specifying any cert options on the install command (i.e. I'm<br>
> using the default certs supplied with the install).<br>
><br>
><br>
><br>
><br>
><br>
><br>
>><br>
>> There is nothing that's running on port 443.<br>
>><br>
>> catalina.out is empty<br>
>> system file is attached and reports that certificate is not in<br>
>> pkcs11 format.<br>
>> pki-ca-spaw.XX.log does not appear to report errors (also attached)<br>
>><br>
>> Please let me know if I can enable any other debugging into that<br>
>> might be useful in figuring this out.<br>
>><br>
>> Thank you.<br>
>><br>
>><br>
>> On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>
>><br>
>> On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:<br>
>>> Can somebody help with the following problem(s) I’ve<br>
>>> encountered while trying to install the freeipa server?<br>
>>><br>
>>> Problem #1:<br>
>>> On fedora 20, I have:<br>
>>> 1. using yum install acquired the free-ipa-server package.<br>
>>> 2. ran ipa-server-install<br>
>>> — that has failed with “CA did not start in 300s”<br>
>>><br>
>>> One thing that’s noticeable in the logs (the snippet is<br>
>>> included below) is that request for request<br>
>>> '<a href="https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus" target="_blank">https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus</a>'<br>
</span>>>> <<a href="https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27" target="_blank">https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27</a>><br>
<div><div class="h5">>>><br>
>>> has 443 as port as for before all the requests for 8443<br>
>>> (e.g.., same (manual) request on port 8443 succeeds). Seems<br>
>>> like an install script somewhere has the wrong port ?<br>
>><br>
>> 443 is the right port.<br>
>> Do you have something already running on the same box on that<br>
>> port?<br>
>> That might prevent things from installing and running.<br>
>><br>
>> Please try on a clean machine or VM.<br>
>> Also more logs will be helpful.<br>
>> Please see this [1] on how to troubleshoot.<br>
>><br>
>> The second problem is most likely an artifact of the<br>
>> incomplete install.<br>
>><br>
>> [1] <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a><br>
>><br>
>>><br>
>>> 2014-09-08T19:21:07Z DEBUG Waiting for CA to start...<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG request<br>
>>> '<a href="https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus" target="_blank">https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus</a>'<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG request body ''<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG request status 503<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service<br>
>>> Unavailable'<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08<br>
>>> Sep 2014 19:21:08 GMT', 'content-length': '299',<br>
>>> 'content-type': 'text/html; charset=iso-8859-1',<br>
>>> 'connection': 'close', 'server': 'Apache/2.4.10 (Fedora)<br>
>>> mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC<br>
>>> mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request<br>
>>> body '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML<br>
>>> 2.0//EN">\n<html><head>\n<title>503 Service<br>
>>> Unavailable</title>\n</head><body>\n<h1>Service<br>
>>> Unavailable</h1>\n<p>The server is temporarily unable to<br>
>>> service your\nrequest due to maintenance downtime or<br>
>>> capacity\nproblems. Please try again<br>
>>> later.</p>\n</body></html>\n'<br>
>>><br>
>>> 2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable<br>
>>><br>
>>><br>
>>> Problem #2:<br>
>>> The next problem I’m encountering and doesn’t seem to be<br>
>>> related to the CA setup is on the next step of “kinit admin”.<br>
>>> It fails with “generic pre authentication failure while<br>
>>> getting initial credentials"<br>
>>><br>
>>> stracing kinit show that it tried to open file<br>
>>> “/var/lib/sss/pubconf/<a href="http://kdcinfo.GATEWAY.2WIRE.NET" target="_blank">kdcinfo.GATEWAY.2WIRE.NET</a><br>
</div></div>>>> <<a href="http://kdcinfo.gateway.2wire.net/" target="_blank">http://kdcinfo.gateway.2wire.net/</a>>”) and fails with “no such<br>
<div class=""><div class="h5">>>> file” error. “pubconf” dir only has empty “krb5.include.d”.<br>
>>><br>
>>> I don’t know if this failure is due to the fact that the<br>
>>> setup didn’t run all the way and some configuration is<br>
>>> missing or this is a separate issue .<br>
>>><br>
>>> Are these bugs that need to be filled with bugzilla or am I<br>
>>> doing something incorrectly?<br>
>>><br>
>>> Any help would be appreciated.<br>
>>><br>
>>> Thank you.<br>
>>><br>
>>><br>
>><br>
>><br>
>> --<br>
>> Thank you,<br>
>> Dmitri Pal<br>
>><br>
>> Sr. Engineering Manager IdM portfolio<br>
>> Red Hat, Inc.<br>
>><br>
>><br>
>> --<br>
>> Manage your subscription for the Freeipa-users mailing list:<br>
>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
>><br>
>><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IdM portfolio<br>
> Red Hat, Inc.<br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div></div>