[Freeipa-users] FreeIPA 3 rc1 sslget error

Pieter Baele pieter.baele at gmail.com
Thu Sep 27 07:56:02 UTC 2012 

Hi,

Two problems with FreeIPA 3 on an updated fedora 17 (updates-testing enabled)

1) dependency error for libsss_sudo

Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates)
           Requires: libsss_sudo.so.0(EXPORTED)(64bit)
           Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates)
               libsss_sudo.so.0(EXPORTED)(64bit)
           Updated By:
libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64
(freeipa-devel)
               Not found
           Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora)
               libsss_sudo.so.0(EXPORTED)(64bit)
Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates)
           Requires: libsss_sudo.so.0()(64bit)
           Removing: libsss_sudo-1.8.4-14.fc17.x86_64 (@updates)
               libsss_sudo.so.0()(64bit)
           Updated By:
libsss_sudo-1.8.99-0.20120913T1717Zgitbb42eab.fc17.x86_64
(freeipa-devel)
               Not found
           Available: libsss_sudo-1.8.2-10.fc17.x86_64 (fedora)
               libsss_sudo.so.0()(64bit)


2) some error on RA agent certificate issuing

[16/20]: issuing RA agent certificate
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7
ipa.nix.be:9443' returned non-zero exit status 6


3) if I then try to remove using --uninstall, I get this error
Unexpected error - see /var/log/ipaserver-uninstall.log for details:
CalledProcessError: Command '/bin/systemctl start messagebus.service'
returned non-zero exit status 1


DEBUG LOG (2)
=========

- 2012-09-27T07:22:01Z DEBUG   [8/20]: fixing RA database permissions
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [9/20]: setting up signing cert profile
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [10/20]: set up CRL publishing
2012-09-27T07:22:01Z DEBUG args=/usr/sbin/selinuxenabled
2012-09-27T07:22:01Z DEBUG stdout=
2012-09-27T07:22:01Z DEBUG stderr=
2012-09-27T07:22:01Z DEBUG args=/usr/sbin/restorecon /var/lib/pki-ca/publish
2012-09-27T07:22:01Z DEBUG stdout=
2012-09-27T07:22:01Z DEBUG stderr=
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [11/20]: set certificate subject base
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [12/20]: enabling Subject Key Identifier
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [13/20]: configuring certificate server
to start on boot
2012-09-27T07:22:01Z DEBUG args=/bin/systemctl is-enabled pki-cad.target
2012-09-27T07:22:01Z DEBUG stdout=disabled

2012-09-27T07:22:01Z DEBUG stderr=
2012-09-27T07:22:01Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2012-09-27T07:22:01Z DEBUG   duration: 0 seconds
2012-09-27T07:22:01Z DEBUG   [14/20]: restarting certificate server
2012-09-27T07:22:02Z DEBUG args=/bin/systemctl restart pki-cad at pki-ca.service
2012-09-27T07:22:02Z DEBUG stdout=
2012-09-27T07:22:02Z DEBUG stderr=
2012-09-27T07:22:02Z DEBUG args=/bin/systemctl is-active pki-cad at pki-ca.service
2012-09-27T07:22:02Z DEBUG stdout=active

2012-09-27T07:22:02Z DEBUG stderr=
2012-09-27T07:22:02Z DEBUG wait_for_open_ports: localhost [9180] timeout 120
2012-09-27T07:22:04Z DEBUG   duration: 3 seconds
2012-09-27T07:22:04Z DEBUG   [15/20]: requesting RA certificate from CA
2012-09-27T07:22:07Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias
-f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=NIX.BE -z /tmp/tmpW2tvmL
-a
2012-09-27T07:22:07Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: NIX.BE
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbTCCAVUCAQAwKDEVMBMGA1UEChMMTklYLlJBSUxCLkJFMQ8wDQYDVQQDEwZJ
<cut>
Mw==
-----END NEW CERTIFICATE REQUEST-----

2012-09-27T07:22:07Z DEBUG stderr=

Generating key.  This may take a few moments...


2012-09-27T07:22:11Z DEBUG   duration: 6 seconds
2012-09-27T07:22:11Z DEBUG   [16/20]: issuing RA agent certificate
2012-09-27T07:22:11Z DEBUG args=/usr/bin/certutil -d /tmp/tmp-1ItZiZ
-f XXXXXXXX -M -t CT,C,C -n Certificate Authority - NIX.BE
2012-09-27T07:22:11Z DEBUG stdout=
2012-09-27T07:22:11Z DEBUG stderr=
2012-09-27T07:22:11Z DEBUG args=/usr/bin/sslget -v -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-1ItZiZ -r /ca/agent/ca/profileReview?requestId=7
ipa.nix.be:9443
2012-09-27T07:22:11Z DEBUG stdout=
2012-09-27T07:22:11Z DEBUG stderr=GET
/ca/agent/ca/profileReview?requestId=7 HTTP/1.0

port: 9443
addr='ipa.nix.be'
family='10'
exit after PR_Connect with error -5987:

2012-09-27T07:22:11Z INFO   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 931, in main
    subject_base=options.subject)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 562, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 321, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 903, in __issue_ra_cert
    (stdout, stderr, returncode) = ipautil.run(args,
nolog=(self.admin_password,))

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 309, in run
    raise CalledProcessError(p.returncode, args)

2012-09-27T07:22:11Z INFO The ipa-server-install command failed,
exception: CalledProcessError: Command '/usr/bin/sslget -v -n
ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-1ItZiZ -r
/ca/agent/ca/profileReview?requestId=7 ipa.nix.be:9443' returned
non-zero exit status 6

More information about the Freeipa-users mailing list