[Freeipa-users] FreeIPA installation bug on F18 while "requesting RA certificate from CA"
Rob Crittenden
rcritten at redhat.com
Wed Feb 13 14:48:58 UTC 2013
Robert M. Albrecht wrote:
> Hi,
>
>
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
> [1/36]: creating directory server user
> [2/36]: creating directory server instance
> [3/36]: adding default schema
> [4/36]: enabling memberof plugin
> [5/36]: enabling winsync plugin
> [6/36]: configuring replication version plugin
> [7/36]: enabling IPA enrollment plugin
> [8/36]: enabling ldapi
> [9/36]: configuring uniqueness plugin
> [10/36]: configuring uuid plugin
> [11/36]: configuring modrdn plugin
> [12/36]: enabling entryUSN plugin
> [13/36]: configuring lockout plugin
> [14/36]: creating indices
> [15/36]: enabling referential integrity plugin
> [16/36]: configuring certmap.conf
> [17/36]: configure autobind for root
> [18/36]: configure new location for managed entries
> [19/36]: restarting directory server
> [20/36]: adding default layout
> [21/36]: adding delegation layout
> [22/36]: adding replication acis
> [23/36]: creating container for managed entries
> [24/36]: configuring user private groups
> [25/36]: configuring netgroups from hostgroups
> [26/36]: creating default Sudo bind user
> [27/36]: creating default Auto Member layout
> [28/36]: adding range check plugin
> [29/36]: creating default HBAC rule allow_all
> [30/36]: Upload CA cert to the directory
> ipa : CRITICAL Failed to load upload-cacert.ldif: Command
> '/usr/bin/ldapmodify -v -f /tmp/tmpSkzd0p -H
> ldap://gutenberg.vorlon.lan:389 -x -D cn=Directory Manager -y
> /tmp/tmpVB45G5' returned non-zero exit status 247
> [31/36]: initializing group membership
> [32/36]: adding master entry
> [33/36]: configuring Posix uid/gid generation
> [34/36]: enabling compatibility plugin
> [35/36]: tuning directory server
> [36/36]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> 30 seconds
> [1/20]: creating certificate server user
> [2/20]: configuring certificate server instance
> [3/20]: disabling nonces
> [4/20]: creating RA agent certificate database
> [5/20]: importing CA chain to RA certificate database
> [6/20]: fixing RA database permissions
> [7/20]: setting up signing cert profile
> [8/20]: set up CRL publishing
> [9/20]: set certificate subject base
> [10/20]: enabling Subject Key Identifier
> [11/20]: enabling CRL and OCSP extensions for certificates
> [12/20]: setting audit signing renewal to 2 years
> [13/20]: configuring certificate server to start on boot
> [14/20]: restarting certificate server
> [15/20]: requesting RA certificate from CA
> Unexpected error - see /var/log/ipaserver-install.log for details:
> IndexError: list index out of range
> [root at gutenberg ~]#
>
> from /var/log/ipaserver-install.log
>
> 2013-02-13T14:38:15Z DEBUG stderr=
> 2013-02-13T14:38:15Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2013-02-13T14:38:15Z DEBUG duration: 0 seconds
> 2013-02-13T14:38:15Z DEBUG [14/20]: restarting certificate server
> 2013-02-13T14:38:15Z DEBUG Starting external process
> 2013-02-13T14:38:15Z DEBUG args=/bin/systemctl restart
> pki-tomcatd at pki-tomcat.service
> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
> 2013-02-13T14:38:19Z DEBUG stdout=
> 2013-02-13T14:38:19Z DEBUG stderr=
> 2013-02-13T14:38:19Z DEBUG Starting external process
> 2013-02-13T14:38:19Z DEBUG args=/bin/systemctl is-active
> pki-tomcatd at pki-tomcat.service
> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
> 2013-02-13T14:38:19Z DEBUG stdout=active
>
> 2013-02-13T14:38:19Z DEBUG stderr=
> 2013-02-13T14:38:19Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 120
> 2013-02-13T14:38:25Z DEBUG The httpd proxy is not installed, skipping
> wait for CA
> 2013-02-13T14:38:25Z DEBUG duration: 9 seconds
> 2013-02-13T14:38:25Z DEBUG [15/20]: requesting RA certificate from CA
> 2013-02-13T14:38:25Z DEBUG Starting external process
> 2013-02-13T14:38:25Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f
> XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=VORLON.LAN -z /tmp/tmpQoA4BN -a
> 2013-02-13T14:38:31Z DEBUG Process finished, return code=0
> 2013-02-13T14:38:31Z DEBUG
> stdout=^X^\<FB><ED>5^@^@^@^X^\<FB><ED>5^@^@^@^P<FD><81>^A^@^@^@^@^P<FD><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@!^F^@^@^@^@^@^@<98>^W<FB><ED>5^@^@^@<A0><F9><81>^A^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><8D><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@`^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>
> 2013-02-13T14:38:31Z DEBUG stderr=
>
> Generating key. This may take a few moments...
>
>
> 2013-02-13T14:38:47Z INFO File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 617, in run_script
> return_value = main_function()
>
> File "/sbin/ipa-server-install", line 986, in main
> dm_password, subject_base=options.subject)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 621, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1219, in __request_ra_certificate
> self.requestId = item_node[0].childNodes[0].data
>
> 2013-02-13T14:38:47Z INFO The ipa-server-install command failed,
> exception: IndexError: list index out of range
> (END)
>
>
> There are no special charters in any password.
>
> Any ideas ?
Caused by a bug in the nss package, see this thread
https://www.redhat.com/archives/freeipa-users/2013-February/msg00195.html
rob
More information about the Freeipa-users
mailing list