[Freeipa-users] Install error pkispawn
NEVEU Stephane
stephane.neveu at thalesgroup.com
Tue Aug 6 12:22:40 UTC 2013
Hi Martin & thank you for your reply :)
I added the update-testing repositories on fedora 19 after reading this : http://www.redhat.com/archives/freeipa-users/2013-June/msg00099.html
But nothing changed, I also tried with selinux disabled/enabled but same issue...
Here we go :
[root at omcsvcipa01d ~]# rpm -qa freeipa-server pki-ca "java-*-openjdk-*"
java-1.7.0-openjdk-devel-1.7.0.25-2.3.12.3.fc19.x86_64
freeipa-server-3.2.2-1.fc19.x86_64
pki-ca-10.0.4-2.fc19.noarch
[root at omcsvcipa01d ~]# ausearch -m AVC
----
time->Tue Aug 6 08:07:36 2013
type=SYSCALL msg=audit(1375776456.741:125): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fd5080076e0 a2=90800 a3=0 items=0 ppid=1 pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1375776456.741:125): avc: denied { read } for pid=1995 comm="java" name="hsperfdata_root" dev="vda1" ino=39527 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Tue Aug 6 08:07:36 2013
type=SYSCALL msg=audit(1375776456.741:126): arch=c000003e syscall=2 success=no exit=-13 a0=7fd508007700 a1=242 a2=180 a3=0 items=0 ppid=1 pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1375776456.741:126): avc: denied { write } for pid=1995 comm="java" name="hsperfdata_root" dev="vda1" ino=39527 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Tue Aug 6 08:19:15 2013
type=SYSCALL msg=audit(1375777155.023:174): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f33540072b0 a2=90800 a3=0 items=0 ppid=2713 pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1375777155.023:174): avc: denied { read } for pid=2734 comm="java" name="hsperfdata_root" dev="vda1" ino=39527 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Tue Aug 6 08:19:15 2013
type=SYSCALL msg=audit(1375777155.023:175): arch=c000003e syscall=2 success=no exit=-13 a0=7f33540072d0 a1=242 a2=180 a3=0 items=0 ppid=2713 pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1375777155.023:175): avc: denied { write } for pid=2734 comm="java" name="hsperfdata_root" dev="vda1" ino=39527 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
Errors on the ipaserver-install.log :
...
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
2013-08-06T12:05:08Z DEBUG Starting external process
2013-08-06T12:05:08Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpRlQD7m
2013-08-06T12:05:09Z DEBUG Process finished, return code=1
2013-08-06T12:05:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpRlQD7m.
Installing CA into /var/lib/pki/pki-tomcat.
Installation failed.
2013-08-06T12:05:09Z DEBUG stderr=pkispawn : ERROR ....... PKI subsystem 'CA' for instance 'pki-tomcat' already exists!
2013-08-06T12:05:09Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpRlQD7m' returned non-zero exit status 1
2013-08-06T12:05:09Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 616, in run_script
return_value = main_function()
File "/sbin/ipa-server-install", line 1022, in main
dm_password, subject_base=options.subject)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 363, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 736, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2013-08-06T12:05:09Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
And catalina.out :
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://omcsvcipa01d.dev.cloud-omc.thales:9080/ca/ocsp' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'false' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
JSSSocketFactory init - exception thrown:java.lang.NullPointerException
Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 06, 2013 8:07:38 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1488 ms
Aug 06, 2013 8:07:38 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Aug 06, 2013 8:07:38 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.40
Aug 06, 2013 8:07:39 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/pki
Aug 06, 2013 8:07:41 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ca
SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
SSLAuthenticatorWithFallback: Setting container
SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
08:07:43,538 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
08:07:43,545 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Aug 06, 2013 8:07:44 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/pki/pki-tomcat/webapps/ROOT
Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 06, 2013 8:07:45 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 6725 ms
Aug 06, 2013 8:19:15 AM org.apache.catalina.core.StandardServer await
INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance.
Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8080"]
Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8443"]
Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 06, 2013 8:19:15 AM org.apache.catalina.core.StandardService stopInternal
INFO: Stopping service Catalina
-----Message d'origine-----
De : Martin Kosek [mailto:mkosek at redhat.com]
Envoyé : mardi 6 août 2013 13:48
À : NEVEU Stephane
Cc : freeipa-users at redhat.com
Objet : Re: [Freeipa-users] Install error pkispawn
On 08/06/2013 10:48 AM, NEVEU Stephane wrote:
> Hi guys,
>
> New & trying to install FreeIPA-server with the online documentation on a fresh fedora 19... I've got this error message :
> Any idea is welcome :)
> Thank you
> ...
> Continue to configure the system with these values? [no]: yes
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
> [1/38]: creating directory server user
> [2/38]: creating directory server instance
> [3/38]: adding default schema
> [4/38]: enabling memberof plugin
> [5/38]: enabling winsync plugin
> [6/38]: configuring replication version plugin
> [7/38]: enabling IPA enrollment plugin
> [8/38]: enabling ldapi
> [9/38]: configuring uniqueness plugin
> [10/38]: configuring uuid plugin
> [11/38]: configuring modrdn plugin
> [12/38]: configuring DNS plugin
> [13/38]: enabling entryUSN plugin
> [14/38]: configuring lockout plugin
> [15/38]: creating indices
> [16/38]: enabling referential integrity plugin
> [17/38]: configuring certmap.conf
> [18/38]: configure autobind for root
> [19/38]: configure new location for managed entries
> [20/38]: configure dirsrv ccache
> [21/38]: enable SASL mapping fallback
> [22/38]: restarting directory server
> [23/38]: adding default layout
> [24/38]: adding delegation layout
> [25/38]: creating container for managed entries
> [26/38]: configuring user private groups
> [27/38]: configuring netgroups from hostgroups
> [28/38]: creating default Sudo bind user
> [29/38]: creating default Auto Member layout
> [30/38]: adding range check plugin
> [31/38]: creating default HBAC rule allow_all
> [32/38]: initializing group membership
> [33/38]: adding master entry
> [34/38]: configuring Posix uid/gid generation
> [35/38]: adding replication acis
> [36/38]: enabling compatibility plugin
> [37/38]: tuning directory server
> [38/38]: configuring directory to start on boot Done configuring
> directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
> [1/20]: creating certificate server user
> [2/20]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFi7bLc' returned non-zero exit status 1
> Configuration of CA failed
>
Hello Stephane,
Thanks for contacting the list! We need to get at first more information about the failure, i.e.:
1) $ rpm -qa freeipa-server pki-ca "java-*-openjdk-*"
2) Related errors from /var/log/ipaserver-install.log
3) Related errors from /var/log/pki/pki-tomcat/catalina.out (if any)
4) # ausearch -m AVC
Martin
More information about the Freeipa-users
mailing list