[Freeipa-users] Error in Installation - unable to create CA
shabahang elmian
eshabahang at yahoo.com
Sun Apr 29 07:51:14 UTC 2012
[2012-04-23 17:07:32] [debug] set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] Processing PKI security modules for '/var/lib/pki-ca' ...
[2012-04-23 17:07:32] [debug] Attempting to add hardware security modules to system if applicable ...
[2012-04-23 17:07:32] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] configuring SELinux ...
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9447. Port already defined otherwise.
[2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to run semanage.
[2012-04-23 17:07:34] [debug] Running restorecon commands
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/java/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/lib/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/run/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/log/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /etc/pki-ca)
[2012-04-23 17:07:34] [debug] Installation manifest: /var/lib/pki-ca/install_info
[2012-04-23 17:07:34] [debug] The following was performed:
Installed Files:
/etc/pki-ca/CS.cfg
...
.
.
/var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
Removed Items:
/etc/pki-ca/noise
/etc/pki-ca/pfile
[2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart pki-cad at pki-ca.service)
[2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details."
[2012-04-23 17:07:34] [log] Configuration Wizard listening on
https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
[2012-04-23 17:07:34] [log] After configuration, the server can be operated by the command:
/bin/systemctl restart pki-cad at pki-ca.service
[root at ipa ~]#
[root at ipa system]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration!
Are you sure you want to continue with the uninstall procedure? [no]: y
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA directory server
[root at ipa system]#
[root at ipa system]#
[root at ipa system]# > /var/log/audit/audit.log
[root at ipa system]#
[root at ipa system]#
[root at ipa system]# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.mtnirancell.ir]:
Warning: skipping DNS resolution of host ipa.mtnirancell.ir
The domain name has been calculated based on the host name.
Please confirm the domain name [mtnirancell.ir]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [MTNIRANCELL.IR]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder:
No DNS forwarders configured
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [58.131.10.in-addr.arpa.]:
Using reverse zone 58.131.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa.mtnirancell.ir
IP address: 10.131.58.43
Domain name: mtnirancell.ir
Realm name: MTNIRANCELL.IR
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 58.131.10.in-addr.arpa.
Continue to configure the system with these values? [no]: y
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 minutes 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 33 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=MTNIRANCELL.IR'
'-ca_server_cert_subject_name' 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
Configuration of CA failed
[root at ipa system]# cat /var/log/audit/audit.log
type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
[root at ipa system]#
shabahang
________________________________
From: Rob Crittenden <rcritten at redhat.com>
To: shabahang elmian <eshabahang at yahoo.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Monday, April 23, 2012 8:16 PM
Subject: Re: [Freeipa-users] Error in Installation - unable to create CA
shabahang elmian wrote:
> Hello,
> There is a problem on configuring FreeIPA.
> would you please help.
>
> please find following :
>
> 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds
> 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server
> instance
> 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent
> ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445
> -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX
> -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin
> -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject
CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host
> ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager
> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
> 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
> -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
> -external false -clone false
> 2012-04-23 12:38:56,228 DEBUG
stdout=libpath=/usr/lib64
> #######################################################################
> CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR
> tokenpwd:XXXXXXXX
> #############################################
> Attempting to connect to: ipa.mtnirancell.ir:9445
> Exception in LoginPanel(): java.lang.NullPointerException
> ERROR: ConfigureCA: LoginPanel() failure
> ERROR: unable to create CA
> #######################################################################
> 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send
> Request:java.net.ConnectException: Connection refused
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
> at java.net.Socket.connect(Socket.java:546)
> at
java.net.Socket.connect(Socket.java:495)
> at java.net.Socket.<init>(Socket.java:392)
> at java.net.Socket.<init>(Socket.java:235)
> at HTTPClient.sslConnect(HTTPClient.java:326)
> at ConfigureCA.LoginPanel(ConfigureCA.java:244)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
> java.lang.NullPointerException
> at ConfigureCA.LoginPanel(ConfigureCA.java:245)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
>
> 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance
> Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa.mtnirancell.ir -cs_port
9445 -client_certdb_dir /tmp/tmp-d9LkHR
> -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size
> 2048 -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type
> rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
>
-ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
> -external false -clone false' returned non-zero exit status 255
> 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed
> File "/usr/sbin/ipa-server-install", line 1173, in <module>
> rval = main()
>
> File "/usr/sbin/ipa-server-install", line 974, in main
> subject_base=options.subject)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 537, in configure_instance
> self.start_creation("Configuring certificate server", 210)
>
>
File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 248, in start_creation
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 677, in __configure_instance
> raise RuntimeError('Configuration of CA failed')
>
> please note :
>
> [root at ipa ~]# uname -a
> Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21
> 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> [root at ipa ~]# cat /etc/redhat-release
> Fedora release 16 (Verne)
> [root at ipa ~]#
It would appear that the CA silent installer (pki-silent) couldn't talk
to the CA. There are more logs in /var/log/pki-ca that may hold more
information on why.
You might also want to look for any new AVCs in /var/log/audit/audit.log.
regards
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120429/b38525b4/attachment.htm>
More information about the Freeipa-users
mailing list