[Freeipa-users] FreeIPA 1.9.0.pre4 installation problem
Miljan Karadzic
miljank at gmail.com
Wed Sep 15 18:50:08 UTC 2010
On 9/15/10 7:45 PM, Rob Crittenden wrote:
> Miljan Karadzic wrote:
>> Hello all,
>>
>> I am having some problems installing FreeIPA server on a freshly
>> installed Fedora 13 machine. Installation fails during configuration of
>> certificate server at step 3/14:
>>
>> -----------
>> [3/14]: configuring certificate server instance
>> root : CRITICAL failed to restart ca instance Command '/usr/bin/perl
>> /usr/bin/pkisilent ConfigureCA -cs_hostname loznica.lhs-systems.com
>> -cs_port 9445 -client_certdb_dir /tmp/tmp-0ANqdU -client_certdb_pwd
>> XXXXXXXX -preop_pin eTvJduILXN6kCgkX46ih -domain_name IPA -admin_user
>> admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name
>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host
>> loznica.lhs-systems.com -ldap_port 7389 -bind_dn "cn=Directory Manager"
>> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
>> -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
>> pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA
>> Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA"
>> -ca_server_cert_subject_name "CN=loznica.lhs-systems.com,O=IPA"
>> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA"
>> -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external
>> false -clone false' returned non-zero exit status 255
>> [4/14]: creating CA agent PKCS#12 file in /root
>> Unexpected error - see ipaserver-install.log for details:
>> Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d
>> /tmp/tmp-0ANqdU -k /tmp/tmplUonD_ -w /tmp/tmplUonD_' returned non-zero
>> exit status 24
>> -----------
>>
>> Even if installation continues to next step PKI-CA is not configured.
>>
>> Debug message from the installation log file says (complete installation
>> log is attached):
>>
>> -----------
>> Required parameter -key_algorithm is not specified.
>> Use -help for help information
>> -----------
>>
>> Installed packages are as follows:
>>
>> -----------
>> pki-common-1.3.8-1.fc13.noarch
>> pki-util-1.3.2-1.fc13.noarch
>> pki-console-1.3.2-1.fc13.noarch
>> pki-native-tools-1.3.0-5.fc13.i686
>> dogtag-pki-ca-ui-1.3.2-1.fc13.noarch
>> pki-silent-1.3.4-1.fc13.noarch
>> pki-symkey-1.3.2-4.fc13.i686
>> pki-java-tools-1.3.1-1.fc13.noarch
>> dogtag-pki-console-ui-1.3.2-2.fc13.noarch
>> pki-ca-1.3.6-1.fc13.noarch
>> pki-selinux-1.3.5-1.fc13.noarch
>> dogtag-pki-common-ui-1.3.3-1.fc13.noarch
>> pki-setup-1.3.4-1.fc13.noarch
>> -
>> ipa-server-1.9.0.pre4-0.fc13.i686
>> ipa-admintools-1.9.0.pre4-0.fc13.i686
>> ipa-python-1.9.0.pre4-0.fc13.i686
>> ipa-server-selinux-1.9.0.pre4-0.fc13.i686
>> ipa-client-1.9.0.pre4-0.fc13.i686
>> -
>> 389-ds-base-1.2.6-1.fc13.i686
>> -----------
>>
>> Any ideas what could be the problem?
>
> The problem is that pkisilent requires a new argument, -key_algorithm,
> that we aren't providing. To wokr around this you'll need to modify
> /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py.
>
> Search for pkisilent and you'll see we create a huge array of
> arguments to pass. Add this:
>
> "-key_algorithm", "SHA256withRSA",
>
> I put it in right after:
>
> "-key_type", "rsa",
>
> but order shouldn't matter.
>
> rob
Hi Rob,
I found the same thing after writing the email, but I didn't know what
to use as an argument - putting just 'rsa' didn't work. :)
Thanks a lot for the help!
More information about the Freeipa-users
mailing list