[Freeipa-users] Install error pkispawn
NEVEU Stephane
stephane.neveu at thalesgroup.com
Tue Aug 6 13:03:14 UTC 2013
Yes I've tried to make the installation twice ...
Setenforce 0 & the pkidestroy -s CA -i pki-tomcat solved my issue ! Setup completed...
Many thanks Martin for your help :)
-----Message d'origine-----
De : Martin Kosek [mailto:mkosek at redhat.com]
Envoyé : mardi 6 août 2013 14:45
À : NEVEU Stephane
Cc : freeipa-users at redhat.com
Objet : Re: [Freeipa-users] Install error pkispawn
Thanks!
I see there are some SELinux issues for accessing /tmp/hsperfdata_root, they look strange.
But what seems even stranger is this error in /var/log/ipaserver_install.log:
2013-08-06T12:05:09Z DEBUG stderr=pkispawn : ERROR ....... PKI subsystem
'CA' for instance 'pki-tomcat' already exists!
Did you try to install IPA server before?
This procedure may help to re-install:
# ipa-server-install --uninstall --unattended # pkidestroy -s CA -i pki-tomcat
Second command is to make sure that PKI instance is not left configured on the system. After these 2 commads, you can try to install IPA server again.
If that fails again, second thing we can try is to:
1) Run the clean up commands as above again
2) Turn SELinux to permissive with "# setenforce 0"
3) Run IPA server installation again
I hope that these procedures will now lead to successful installation :-)
Martin
On 08/06/2013 02:22 PM, NEVEU Stephane wrote:
>
> Hi Martin & thank you for your reply :)
>
> I added the update-testing repositories on fedora 19 after reading
> this :
> http://www.redhat.com/archives/freeipa-users/2013-June/msg00099.html
> But nothing changed, I also tried with selinux disabled/enabled but same issue...
>
>
> Here we go :
>
> [root at omcsvcipa01d ~]# rpm -qa freeipa-server pki-ca "java-*-openjdk-*"
> java-1.7.0-openjdk-devel-1.7.0.25-2.3.12.3.fc19.x86_64
> freeipa-server-3.2.2-1.fc19.x86_64
> pki-ca-10.0.4-2.fc19.noarch
>
> [root at omcsvcipa01d ~]# ausearch -m AVC
> ----
> time->Tue Aug 6 08:07:36 2013
> type=SYSCALL msg=audit(1375776456.741:125): arch=c000003e syscall=257
> success=no exit=-13 a0=ffffffffffffff9c a1=7fd5080076e0 a2=90800 a3=0
> items=0 ppid=1 pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre
> /bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC
> msg=audit(1375776456.741:125): avc: denied { read } for pid=1995
> comm="java" name="hsperfdata_root" dev="vda1" ino=39527
> scontext=system_u:system_r:pki_tomcat_t:s0
> tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
> ----
> time->Tue Aug 6 08:07:36 2013
> type=SYSCALL msg=audit(1375776456.741:126): arch=c000003e syscall=2
> success=no exit=-13 a0=7fd508007700 a1=242 a2=180 a3=0 items=0 ppid=1
> pid=1995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre
> /bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC
> msg=audit(1375776456.741:126): avc: denied { write } for pid=1995
> comm="java" name="hsperfdata_root" dev="vda1" ino=39527
> scontext=system_u:system_r:pki_tomcat_t:s0
> tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
> ----
> time->Tue Aug 6 08:19:15 2013
> type=SYSCALL msg=audit(1375777155.023:174): arch=c000003e syscall=257
> success=no exit=-13 a0=ffffffffffffff9c a1=7f33540072b0 a2=90800 a3=0
> items=0 ppid=2713 pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre
> /bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC
> msg=audit(1375777155.023:174): avc: denied { read } for pid=2734
> comm="java" name="hsperfdata_root" dev="vda1" ino=39527
> scontext=system_u:system_r:pki_tomcat_t:s0
> tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
> ----
> time->Tue Aug 6 08:19:15 2013
> type=SYSCALL msg=audit(1375777155.023:175): arch=c000003e syscall=2
> success=no exit=-13 a0=7f33540072d0 a1=242 a2=180 a3=0 items=0
> ppid=2713 pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre
> /bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC
> msg=audit(1375777155.023:175): avc: denied { write } for pid=2734
> comm="java" name="hsperfdata_root" dev="vda1" ino=39527
> scontext=system_u:system_r:pki_tomcat_t:s0
> tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
>
> Errors on the ipaserver-install.log :
> ...
> pki_subsystem_nickname = subsystemCert cert-pki-ca
> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
> pki_ssl_server_nickname = Server-Cert cert-pki-ca
> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>
>
> 2013-08-06T12:05:08Z DEBUG Starting external process
> 2013-08-06T12:05:08Z DEBUG args=/usr/sbin/pkispawn -s CA -f
> /tmp/tmpRlQD7m 2013-08-06T12:05:09Z DEBUG Process finished, return
> code=1 2013-08-06T12:05:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpRlQD7m.
> Installing CA into /var/lib/pki/pki-tomcat.
> Installation failed.
>
>
> 2013-08-06T12:05:09Z DEBUG stderr=pkispawn : ERROR ....... PKI subsystem 'CA' for instance 'pki-tomcat' already exists!
>
> 2013-08-06T12:05:09Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpRlQD7m' returned non-zero exit status 1
> 2013-08-06T12:05:09Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 616, in run_script
> return_value = main_function()
>
> File "/sbin/ipa-server-install", line 1022, in main
> dm_password, subject_base=options.subject)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 363, in start_creation
> method()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 736, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
>
> 2013-08-06T12:05:09Z DEBUG The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> And catalina.out :
>
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://omcsvcipa01d.dev.cloud-omc.thales:9080/ca/ocsp' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'false' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
> Aug 06, 2013 8:07:38 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
> Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-8080"] Aug 06, 2013
> 8:07:38 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-8443"] JSSSocketFactory
> init - exception thrown:java.lang.NullPointerException
>
> Aug 06, 2013 8:07:38 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Aug 06,
> 2013 8:07:38 AM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 1488 ms Aug 06, 2013 8:07:38 AM
> org.apache.catalina.core.StandardService startInternal
> INFO: Starting service Catalina
> Aug 06, 2013 8:07:38 AM org.apache.catalina.core.StandardEngine
> startInternal
> INFO: Starting Servlet Engine: Apache Tomcat/7.0.40 Aug 06, 2013
> 8:07:39 AM org.apache.catalina.startup.HostConfig deployDirectory
> INFO: Deploying web application directory
> /var/lib/pki/pki-tomcat/webapps/pki
> Aug 06, 2013 8:07:41 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /var/lib/pki/pki-tomcat/webapps/ca
> SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
> SSLAuthenticatorWithFallback: Setting container
> SSLAuthenticatorWithFallback: Initializing authenticators
> SSLAuthenticatorWithFallback: Starting authenticators
> 08:07:43,538 DEBUG
> (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
> retrieve ServletContext: expandEntityReferences defaults to true
> 08:07:43,545 DEBUG
> (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
> retrieve ServletContext: expandEntityReferences defaults to true CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started.
> Aug 06, 2013 8:07:44 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /var/lib/pki/pki-tomcat/webapps/ROOT
> Aug 06, 2013 8:07:45 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8080"] Aug 06, 2013 8:07:45
> AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8443"] Aug 06, 2013 8:07:45
> AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Aug 06, 2013
> 8:07:45 AM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 6725 ms
> Aug 06, 2013 8:19:15 AM org.apache.catalina.core.StandardServer await
> INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance.
> Aug 06, 2013 8:19:15 AM org.apache.coyote.AbstractProtocol pause
> INFO: Pausing ProtocolHandler ["http-bio-8080"] Aug 06, 2013 8:19:15
> AM org.apache.coyote.AbstractProtocol pause
> INFO: Pausing ProtocolHandler ["http-bio-8443"] Aug 06, 2013 8:19:15
> AM org.apache.coyote.AbstractProtocol pause
> INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Aug 06, 2013
> 8:19:15 AM org.apache.catalina.core.StandardService stopInternal
> INFO: Stopping service Catalina
>
>
>
>
>
> -----Message d'origine-----
> De : Martin Kosek [mailto:mkosek at redhat.com] Envoyé : mardi 6 août
> 2013 13:48 À : NEVEU Stephane Cc : freeipa-users at redhat.com Objet :
> Re: [Freeipa-users] Install error pkispawn
>
> On 08/06/2013 10:48 AM, NEVEU Stephane wrote:
>> Hi guys,
>>
>> New & trying to install FreeIPA-server with the online documentation on a fresh fedora 19... I've got this error message :
>> Any idea is welcome :)
>> Thank you
>> ...
>> Continue to configure the system with these values? [no]: yes
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>> [1/38]: creating directory server user
>> [2/38]: creating directory server instance
>> [3/38]: adding default schema
>> [4/38]: enabling memberof plugin
>> [5/38]: enabling winsync plugin
>> [6/38]: configuring replication version plugin
>> [7/38]: enabling IPA enrollment plugin
>> [8/38]: enabling ldapi
>> [9/38]: configuring uniqueness plugin
>> [10/38]: configuring uuid plugin
>> [11/38]: configuring modrdn plugin
>> [12/38]: configuring DNS plugin
>> [13/38]: enabling entryUSN plugin
>> [14/38]: configuring lockout plugin
>> [15/38]: creating indices
>> [16/38]: enabling referential integrity plugin
>> [17/38]: configuring certmap.conf
>> [18/38]: configure autobind for root
>> [19/38]: configure new location for managed entries
>> [20/38]: configure dirsrv ccache
>> [21/38]: enable SASL mapping fallback
>> [22/38]: restarting directory server
>> [23/38]: adding default layout
>> [24/38]: adding delegation layout
>> [25/38]: creating container for managed entries
>> [26/38]: configuring user private groups
>> [27/38]: configuring netgroups from hostgroups
>> [28/38]: creating default Sudo bind user
>> [29/38]: creating default Auto Member layout
>> [30/38]: adding range check plugin
>> [31/38]: creating default HBAC rule allow_all
>> [32/38]: initializing group membership
>> [33/38]: adding master entry
>> [34/38]: configuring Posix uid/gid generation
>> [35/38]: adding replication acis
>> [36/38]: enabling compatibility plugin
>> [37/38]: tuning directory server
>> [38/38]: configuring directory to start on boot Done configuring
>> directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>> [1/20]: creating certificate server user
>> [2/20]: configuring certificate server instance
>> ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFi7bLc' returned non-zero exit status 1
>> Configuration of CA failed
>>
>
> Hello Stephane,
>
> Thanks for contacting the list! We need to get at first more information about the failure, i.e.:
>
> 1) $ rpm -qa freeipa-server pki-ca "java-*-openjdk-*"
> 2) Related errors from /var/log/ipaserver-install.log
> 3) Related errors from /var/log/pki/pki-tomcat/catalina.out (if any)
> 4) # ausearch -m AVC
>
> Martin
>
More information about the Freeipa-users
mailing list