[Freeipa-users] FreeIPA_demonstration_tools CA creation error.

Mercer, Rodney rmercer at harris.com
Thu Dec 15 20:27:16 UTC 2011 

On Thu, 2011-12-15 at 21:02 +0100, Ondrej Hamada wrote:
> On 12/14/2011 06:58 PM, Dmitri Pal wrote:
> > On 12/14/2011 11:04 AM, Mercer, Rodney wrote:
> >> I've been attempting to install the virtual machine setup from
> >> http://freeipa.org/page/FreeIPA_demonstration_tools
> >>
> >> I install on fresh Fedora 15 x86_64 host, and I am able to complete the first two steps.
> >>
> >> When I run the last script,
> >> ./ipa-demo.sh
> >> I get from the ipa-demo-<date>.log
> >> ----
> >> CRITICAL:root:failed to configure ca instance
> >> ----
> >> and later in the log:
> >> ----
> >> Warning: skipping DNS resolution of host master.example.com
> >> The IPA Master Server will be configured with
> >> Hostname:    master.example.com
> >> IP address:  192.168.122.32
> >> Domain name: example.com
> >> ----
> >> and
> >> ----
> >> Configuring certificate server: Estimated time 3 minutes 30 seconds
> >>    [1/17]: creating certificate server user
> >>    [2/17]: creating pki-ca instance
> >>    [3/17]: configuring certificate server instance
> >> Unexpected error - see ipaserver-install.log for details:
> >>   Configuration of CA failed
> >> Server installation failed!
> >> Domain f15-ipa-server destroyed
> >>
> >> Domain f15-ipa-server has been undefined
> >> ----
> >>
> >> I see the dhcp address changing for master.example.com each time the script is run.
> >> Is there a requirement for making the dhcp address consistent for master.example.com
> >> and having the address in /etc/hosts so that it can reverse resolve via dnsmasq?
> >>
> >> Or does the DNS resolution of ip to host have any bearing on the certificate creation as I suspect?
> >>
> >>
> > Consistent name resolution is a requirement for IPA.
> > Ondrej, can you please take a closer look and see if this is something
> > with the demo scripts or IPA itself?
> I don't see a problem in scripts. When the virtual machines are created 
> by ipa-demo, they acquire addresses from dhcp, then - before 
> installation of freeipa - they're configured to use static addresses(the 
> currently assigned ip address is chosen) and also the records are added 
> into /etc/hosts.
> 
> I wasn't able to reproduce the problem on clean f15 x64, the 
> installation was successful, but few errors like this one appeared:
> 
> ERROR:root:certmonger failed starting to track certificate: Command 
> '/usr/bin/ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert 
> -p /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 1
> root        : ERROR    certmonger failed starting to track certificate: 
> Command '/usr/bin/ipa-getcert start-tracking -d /etc/httpd/alias -n 
> Server-Cert -p /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 1
> WARNING:root:remove: '60' not in nsslapd-pluginPrecedence
> 
> 
Hmmm, that's odd.
I'm currently trying to force mine to work. I've attempted several times
with clean installs and no modifications both on a workstation and
laptop. I think I will take the laptop home and start over from my home
network. Maybe our work dns servers are causing an issue.

In the meantime, I am attempting to make the installation work on my
work network with the following libvirt modifications.

/var/lib/libvirt/dnsmasq/default.hostsfile

fe:54:00:8e:72:76,192.168.122.45,master.example.com
fe:54:00:8e:72:77,192.168.122.46,ipa-client1.example.com
fe:54:00:8e:72:78,192.168.122.47,ipa-client2.example.com

# virsh -c qemu:///system net-destroy default

# virsh -c qemu:///system net-edit default

<network>
  <name>default</name>
  <uuid>9c90ded8-3ed6-4200-98e9-5c668bcdc7cd</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0' />
  <ip address='192.168.122.1' netmask='255.255.255.0'>
   <dhcp>
      <host mac='fe:54:00:8e:72:76' name='master.example.com'
ip='192.168.122.45' />
      <host mac='fe:54:00:8e:72:77' name='ipa-client1.example.com'
ip='192.168.122.46' />
      <host mac='fe:54:00:8e:72:78' name='ipa-client2.example.com'
ip='192.168.122.47' />
    </dhcp>
  </ip>
</network>


# virsh -c qemu:///system net-start default

-- 
Rodney Mercer
Systems Administrator

More information about the Freeipa-users mailing list