[Freeipa-users] Error in Installation - unable to create CA

Rob Crittenden rcritten at redhat.com
Wed May 2 15:34:02 UTC 2012 

shabahang elmian wrote:
> Hello,
> I would be thankful if some one can help me to resolve the problem.

We need to see /var/log/ipaserver-install.log and potentially 
/var/log/pki-ca/debug to determine what the problem is.

It would appear that the CA process didn't start.

Details on your versions of ipa-server and pki-ca would be helpful too.

rob

>
> Shabahang
>
> ------------------------------------------------------------------------
> *From:* shabahang elmian <eshabahang at yahoo.com>
> *To:* Rob Crittenden <rcritten at redhat.com>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Sunday, April 29, 2012 12:21 PM
> *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA
>
> [2012-04-23 17:07:32] [debug]
> set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser,
> pkiuser)
> [2012-04-23 17:07:32] [debug]
> set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
> [2012-04-23 17:07:32] [debug]
> set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
> [2012-04-23 17:07:32] [debug]
> set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
> [2012-04-23 17:07:32] [debug] Processing PKI security modules for
> '/var/lib/pki-ca' ...
> [2012-04-23 17:07:32] [debug] Attempting to add hardware security
> modules to system if applicable ...
> [2012-04-23 17:07:32] [debug] module name: lunasa lib:
> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
> [2012-04-23 17:07:32] [debug] module name: nfast lib:
> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
> [2012-04-23 17:07:32] [debug] configuring SELinux ...
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9180. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9701. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9443. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9444. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9446. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9445. Port already defined otherwise.
> [2012-04-23 17:07:34] [error] Failed setting selinux context
> pki_ca_port_t for 9447. Port already defined otherwise.
> [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to
> run semanage.
> [2012-04-23 17:07:34] [debug] Running restorecon commands
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /usr/share/java/pki)
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /usr/share/pki)
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /var/lib/pki-ca)
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /var/run/pki)
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /var/log/pki-ca)
> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
> /etc/pki-ca)
> [2012-04-23 17:07:34] [debug] Installation manifest:
> /var/lib/pki-ca/install_info
> [2012-04-23 17:07:34] [debug] The following was performed:
> Installed Files:
> /etc/pki-ca/CS.cfg
> ...
> .
> .
> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
> Removed Items:
> /etc/pki-ca/noise
> /etc/pki-ca/pfile
>
> [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart
> pki-cad at pki-ca.service)
> [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart
> pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system
> logs and 'systemctl status' for details."
> [2012-04-23 17:07:34] [log] Configuration Wizard listening on
> https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
> [2012-04-23 17:07:34] [log] After configuration, the server can be
> operated by the command:
> /bin/systemctl restart pki-cad at pki-ca.service
> [root at ipa ~]#
>
> [root at ipa system]# ipa-server-install --uninstall
>
> This is a NON REVERSIBLE operation and will delete all data and
> configuration!
>
> Are you sure you want to continue with the uninstall procedure? [no]: y
> Shutting down all IPA services
> Removing IPA client configuration
> Unconfiguring ntpd
> Unconfiguring CA directory server
> [root at ipa system]#
> [root at ipa system]#
> [root at ipa system]# > /var/log/audit/audit.log
> [root at ipa system]#
> [root at ipa system]#
> [root at ipa system]# ipa-server-install --setup-dns
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> ==============================================================================
> This program will set up the FreeIPA Server.
>
> This includes:
> * Configure a stand-alone CA (dogtag) for certificate management
> * Configure the Network Time Daemon (ntpd)
> * Create and configure an instance of Directory Server
> * Create and configure a Kerberos Key Distribution Center (KDC)
> * Configure Apache (httpd)
> * Configure DNS (bind)
>
> To accept the default shown in brackets, press the Enter key.
>
> Existing BIND configuration detected, overwrite? [no]: y
> Enter the fully qualified domain name of the computer
> on which you're setting up server software. Using the form
> <hostname>.<domainname>
> Example: master.example.com.
>
>
> Server host name [ipa.mtnirancell.ir]:
>
> Warning: skipping DNS resolution of host ipa.mtnirancell.ir
> The domain name has been calculated based on the host name.
>
> Please confirm the domain name [mtnirancell.ir]:
>
> The kerberos protocol requires a Realm name to be defined.
> This is typically the domain name converted to uppercase.
>
> Please provide a realm name [MTNIRANCELL.IR]:
> Certain directory server operations require an administrative user.
> This user is referred to as the Directory Manager and has full access
> to the Directory for system management tasks and will be added to the
> instance of directory server created for IPA.
> The password must be at least 8 characters long.
>
> Directory Manager password:
> Password (confirm):
>
> The IPA server requires an administrative user, named 'admin'.
> This user is a regular system account used for IPA server administration.
>
> IPA admin password:
> Password (confirm):
>
> Do you want to configure DNS forwarders? [yes]:
> Enter the IP address of DNS forwarder to use, or press Enter to finish.
> Enter IP address for a DNS forwarder:
> No DNS forwarders configured
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [58.131.10.in-addr.arpa.]:
> Using reverse zone 58.131.10.in-addr.arpa.
>
> The IPA Master Server will be configured with:
> Hostname: ipa.mtnirancell.ir
> IP address: 10.131.58.43
> Domain name: mtnirancell.ir
> Realm name: MTNIRANCELL.IR
>
> BIND DNS server will be configured to serve IPA domain with:
> Forwarders: No forwarders
> Reverse zone: 58.131.10.in-addr.arpa.
>
> Continue to configure the system with these values? [no]: y
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring ntpd
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> done configuring ntpd.
> Configuring directory server for the CA: Estimated time 30 minutes 30
> seconds
> [1/3]: creating directory server user
> [2/3]: creating directory server instance
> [3/3]: restarting directory server
> done configuring pkids.
> Configuring certificate server: Estimated time 33 minutes 30 seconds
> [1/16]: creating certificate server user
> [2/16]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir'
> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_'
> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs'
> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
> 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent'
> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
> 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir'
> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX'
> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
> Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP
> Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name'
> 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR'
> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR'
> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR'
> '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
> Unexpected error - see ipaserver-install.log for details:
> Configuration of CA failed
> [root at ipa system]# cat /var/log/audit/audit.log
> type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
> type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
> res=success'
> type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
> res=success'
> type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
> res=success'
> type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
> res=success'
> [root at ipa system]#
>
> shabahang
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* shabahang elmian <eshabahang at yahoo.com>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Monday, April 23, 2012 8:16 PM
> *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA
>
> shabahang elmian wrote:
>  > Hello,
>  > There is a problem on configuring FreeIPA.
>  > would you please help.
>  >
>  > please find following :
>  >
>  > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds
>  > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server
>  > instance
>  > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent
>  > ConfigureCA -cs_hostname ipa.mtnirancell.ir
> <http://ipa.mtnirancell.ir> -cs_port 9445
>  > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX
>  > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin
>  > -admin_email root at localhost -admin_password XXXXXXXX -agent_name
>  > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>  > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host
>  > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager
>  > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
>  > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
>  > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
>  > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
>  > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
>  > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
>  > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
>  > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
>  > -external false -clone false
>  > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64
>  > #######################################################################
>  > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR
>  > tokenpwd:XXXXXXXX
>  > #############################################
>  > Attempting to connect to: ipa.mtnirancell.ir:9445
>  > Exception in LoginPanel(): java.lang.NullPointerException
>  > ERROR: ConfigureCA: LoginPanel() failure
>  > ERROR: unable to create CA
>  > #######################################################################
>  > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send
>  > Request:java.net.ConnectException: Connection refused
>  > java.net <http://java.net.Co>.ConnectException: Connection refused
>  > at java.net
> <http://java.net.PlainSocketImpl.so>.PlainSocketImpl.socketConnect(Native Method)
>  > at
>  > java.net
> <http://java.net.AbstractPlainSocketImpl.do>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
>  > at
>  > java.net
> <http://java.net.AbstractPlainSocketImpl.co>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
>  > at
>  >
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
>  > at java.net
> <http://java.net.SocksSocketImpl.co>.SocksSocketImpl.connect(SocksSocketImpl.java:384)
>  > at java.net <http://java.net.Socket.co>.Socket.connect(Socket.java:546)
>  > at java.net.Socket.connect(Socket.java:495)
>  > at java.net.Socket.<init>(Socket.java:392)
>  > at java.net.Socket.<init>(Socket.java:235)
>  > at HTTPClient.sslConnect(HTTPClient.java:326)
>  > at ConfigureCA.LoginPanel(ConfigureCA.java:244)
>  > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>  > at ConfigureCA.main(ConfigureCA.java:1672)
>  > java.lang.NullPointerException
>  > at ConfigureCA.LoginPanel(ConfigureCA.java:245)
>  > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>  > at ConfigureCA.main(ConfigureCA.java:1672)
>  >
>  > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance
>  > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>  > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR
>  > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA
>  > -domain_name IPA -admin_user admin -admin_email root at localhost
>  > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size
>  > 2048 -agent_key_type rsa -agent_cert_subject
>  > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir
>  > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
>  > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type
>  > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>  > -subsystem_name pki-cad -token_name internal
>  > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
>  > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
>  > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
>  > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
>  > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
>  > -external false -clone false' returned non-zero exit status 255
>  > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed
>  > File "/usr/sbin/ipa-server-install", line 1173, in <module>
>  > rval = main()
>  >
>  > File "/usr/sbin/ipa-server-install", line 974, in main
>  > subject_base=options.subject)
>  >
>  > File
>  > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>  > line 537, in configure_instance
>  > self.start_creation("Configuring certificate server", 210)
>  >
>  > File
>  > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>  > line 248, in start_creation
>  > method()
>  >
>  > File
>  > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>  > line 677, in __configure_instance
>  > raise RuntimeError('Configuration of CA failed')
>  >
>  > please note :
>  >
>  > [root at ipa ~]# uname -a
>  > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21
>  > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>  > [root at ipa ~]# cat /etc/redhat-release
>  > Fedora release 16 (Verne)
>  > [root at ipa ~]#
>
> It would appear that the CA silent installer (pki-silent) couldn't talk
> to the CA. There are more logs in /var/log/pki-ca that may hold more
> information on why.
>
> You might also want to look for any new AVCs in /var/log/audit/audit.log.
>
> regards
>
> rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list