[Freeipa-users] Fedora 17 -- ipa-server-install fails at "configuring certificate server instance"
Rob Crittenden
rcritten at redhat.com
Thu Jul 19 19:04:04 UTC 2012
Brian Wheeler wrote:
> I've been fighting with this for a couple of hours so it must be time to
> ask for help :)
>
> I've got a clean (and up to date) Fedora 17 install and when I try to
> install freeipa it fails when its running pkisilent to configure the
> certificate server instance.
> ==================
> Configuring certificate server: Estimated time 3 minutes 30 seconds
> [1/17]: creating certificate server user
> [2/17]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> wombat.dlib.indiana.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-dxxeEf
> -client_certdb_pwd XXXXXXXX -preop_pin hR0AShCYdzVB5g5frPxh -domain_name
> IPA -admin_user admin -admin_email root at localhost -admin_password
> XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type
> rsa -agent_cert_subject CN=ipa-ca-agent,O=DLIB.INDIANA.EDU -ldap_host
> wombat.dlib.indiana.edu -ldap_port 7389 -bind_dn cn=Directory Manager
> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
> -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
> XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DLIB.INDIANA.EDU
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DLIB.INDIANA.EDU
> -ca_server_cert_subject_name
> CN=wombat.dlib.indiana.edu,O=DLIB.INDIANA.EDU
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=DLIB.INDIANA.EDU
> -ca_sign_cert_subject_name CN=Certificate Authority,O=DLIB.INDIANA.EDU
> -external false -clone false' returned non-zero exit status 255
> Unexpected error - see ipaserver-install.log for details:
> Configuration of CA failed
> =================
>
> The relevant logs in ipaserver-install.log seem to be:
> ============
> Attempting to connect to: wombat.dlib.indiana.edu:9445
> Exception in LoginPanel(): java.lang.NullPointerException
> ERROR: ConfigureCA: LoginPanel() failure
> ERROR: unable to create CA
>
> #######################################################################
>
> 2012-07-19T18:06:23Z DEBUG stderr=Exception: Unable to Send
> Request:java.net.ConnectException: Connection refused
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
>
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
>
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
> at java.net.Socket.connect(Socket.java:579)
> at java.net.Socket.connect(Socket.java:528)
> at java.net.Socket.<init>(Socket.java:425)
> at java.net.Socket.<init>(Socket.java:241)
> at HTTPClient.sslConnect(HTTPClient.java:326)
> at ConfigureCA.LoginPanel(ConfigureCA.java:244)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
> java.lang.NullPointerException
> at ConfigureCA.LoginPanel(ConfigureCA.java:245)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
> =============
>
> Any troubleshooting hints for this?
Try re-installing the pki-selinux package.
What I would do is this:
# ipa-server-install --uninstall -U
# ls -ld /var/lib/pki-ca
If it exists run:
# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
# yum reinstall pki-selinux
We're not sure why re-installing that package is required sometimes, the
dogtag team has a bug open on it,
https://bugzilla.redhat.com/show_bug.cgi?id=746275
rob
rob
More information about the Freeipa-users
mailing list