[Freeipa-users] installing freeipa v2 server fails at "configuring certificate server instance"
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 16 14:14:53 UTC 2011
On Wed, 16 Nov 2011, Thomas Sailer wrote:
> Hi,
>
> Installing a v2 freeipa server failed for me at the stage
> "configuring certificate server instance"
>
> The machine is an updated (and now fully up2date) fedora16 x64 machine.
>
> Here's the command line output:
> Configuring certificate server: Estimated time 3 minutes 30 seconds
> [1/17]: creating certificate server user
> [2/17]: creating pki-ca instance
> [3/17]: configuring certificate server instance
> root : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
> 'server.xxxxx.com' '-cs_port' '9445' '-client_certdb_dir'
> '/tmp/tmp-HxuF_T' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
> 'rgN1Coi9yfnvOUlxsUUw' '-domain_name' 'IPA' '-admin_user' 'admin'
> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX
> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
> '-agent_key_type' 'rsa' '-agent_cert_subject'
> 'CN=ipa-ca-agent,O=AXSEM.COM' '-ldap_host' server.xxxxx.com'
> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager'
> '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca'
> '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm'
> 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX
> '-subsystem_name' 'pki-cad' '-token_name' 'internal'
> '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=XXXXX.COM'
> '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=XXXXX.COM'
> '-ca_server_cert_subject_name'
> 'CN=axextserver1.hq.axsem.com,O=XXXXX.COM'
> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=XXXXX.COM'
> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=XXXXX.COM'
> '-external' 'false' '-clone' 'false'' returned non-zero exit status
> 255
> Unexpected error - see ipaserver-install.log for details:
> Configuration of CA failed
>
> I got it working once I removed the (link local IMO) IPv6 address
> from the ethernet interface. Otherwise, the pki ports (such as 9445)
> were only bound to IPv6 addresses. Strange.
maybe that's because server.xxxx.com resolves to IPv6 address? We pass
FQDN of the server to pkisilent, and then it tries to set up and start
CA.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list