[Freeipa-users] FreeIPA installation bug on F18 while "requesting RA certificate from CA"
Robert M. Albrecht
lists at romal.de
Wed Feb 13 20:03:16 UTC 2013
Hi Rob,
yes, worked after downgrading nss* and xulrunner & firefox because of deps.
Thanks.
cu romal
Am 13.02.13 15:48, schrieb Rob Crittenden:
> Robert M. Albrecht wrote:
>> Hi,
>>
>>
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>> [1/36]: creating directory server user
>> [2/36]: creating directory server instance
>> [3/36]: adding default schema
>> [4/36]: enabling memberof plugin
>> [5/36]: enabling winsync plugin
>> [6/36]: configuring replication version plugin
>> [7/36]: enabling IPA enrollment plugin
>> [8/36]: enabling ldapi
>> [9/36]: configuring uniqueness plugin
>> [10/36]: configuring uuid plugin
>> [11/36]: configuring modrdn plugin
>> [12/36]: enabling entryUSN plugin
>> [13/36]: configuring lockout plugin
>> [14/36]: creating indices
>> [15/36]: enabling referential integrity plugin
>> [16/36]: configuring certmap.conf
>> [17/36]: configure autobind for root
>> [18/36]: configure new location for managed entries
>> [19/36]: restarting directory server
>> [20/36]: adding default layout
>> [21/36]: adding delegation layout
>> [22/36]: adding replication acis
>> [23/36]: creating container for managed entries
>> [24/36]: configuring user private groups
>> [25/36]: configuring netgroups from hostgroups
>> [26/36]: creating default Sudo bind user
>> [27/36]: creating default Auto Member layout
>> [28/36]: adding range check plugin
>> [29/36]: creating default HBAC rule allow_all
>> [30/36]: Upload CA cert to the directory
>> ipa : CRITICAL Failed to load upload-cacert.ldif: Command
>> '/usr/bin/ldapmodify -v -f /tmp/tmpSkzd0p -H
>> ldap://gutenberg.vorlon.lan:389 -x -D cn=Directory Manager -y
>> /tmp/tmpVB45G5' returned non-zero exit status 247
>> [31/36]: initializing group membership
>> [32/36]: adding master entry
>> [33/36]: configuring Posix uid/gid generation
>> [34/36]: enabling compatibility plugin
>> [35/36]: tuning directory server
>> [36/36]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>> [1/20]: creating certificate server user
>> [2/20]: configuring certificate server instance
>> [3/20]: disabling nonces
>> [4/20]: creating RA agent certificate database
>> [5/20]: importing CA chain to RA certificate database
>> [6/20]: fixing RA database permissions
>> [7/20]: setting up signing cert profile
>> [8/20]: set up CRL publishing
>> [9/20]: set certificate subject base
>> [10/20]: enabling Subject Key Identifier
>> [11/20]: enabling CRL and OCSP extensions for certificates
>> [12/20]: setting audit signing renewal to 2 years
>> [13/20]: configuring certificate server to start on boot
>> [14/20]: restarting certificate server
>> [15/20]: requesting RA certificate from CA
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>> [root at gutenberg ~]#
>>
>> from /var/log/ipaserver-install.log
>>
>> 2013-02-13T14:38:15Z DEBUG stderr=
>> 2013-02-13T14:38:15Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2013-02-13T14:38:15Z DEBUG duration: 0 seconds
>> 2013-02-13T14:38:15Z DEBUG [14/20]: restarting certificate server
>> 2013-02-13T14:38:15Z DEBUG Starting external process
>> 2013-02-13T14:38:15Z DEBUG args=/bin/systemctl restart
>> pki-tomcatd at pki-tomcat.service
>> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:19Z DEBUG stdout=
>> 2013-02-13T14:38:19Z DEBUG stderr=
>> 2013-02-13T14:38:19Z DEBUG Starting external process
>> 2013-02-13T14:38:19Z DEBUG args=/bin/systemctl is-active
>> pki-tomcatd at pki-tomcat.service
>> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:19Z DEBUG stdout=active
>>
>> 2013-02-13T14:38:19Z DEBUG stderr=
>> 2013-02-13T14:38:19Z DEBUG wait_for_open_ports: localhost [8080, 8443]
>> timeout 120
>> 2013-02-13T14:38:25Z DEBUG The httpd proxy is not installed, skipping
>> wait for CA
>> 2013-02-13T14:38:25Z DEBUG duration: 9 seconds
>> 2013-02-13T14:38:25Z DEBUG [15/20]: requesting RA certificate from CA
>> 2013-02-13T14:38:25Z DEBUG Starting external process
>> 2013-02-13T14:38:25Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f
>> XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=VORLON.LAN -z /tmp/tmpQoA4BN -a
>> 2013-02-13T14:38:31Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:31Z DEBUG
>> stdout=^X^\<FB><ED>5^@^@^@^X^\<FB><ED>5^@^@^@^P<FD><81>^A^@^@^@^@^P<FD><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@!^F^@^@^@^@^@^@<98>^W<FB><ED>5^@^@^@<A0><F9><81>^A^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><8D><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@`^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> 2013-02-13T14:38:31Z DEBUG stderr=
>>
>> Generating key. This may take a few moments...
>>
>>
>> 2013-02-13T14:38:47Z INFO File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 617, in run_script
>> return_value = main_function()
>>
>> File "/sbin/ipa-server-install", line 986, in main
>> dm_password, subject_base=options.subject)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 621, in configure_instance
>> self.start_creation(runtime=210)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 358, in start_creation
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1219, in __request_ra_certificate
>> self.requestId = item_node[0].childNodes[0].data
>>
>> 2013-02-13T14:38:47Z INFO The ipa-server-install command failed,
>> exception: IndexError: list index out of range
>> (END)
>>
>>
>> There are no special charters in any password.
>>
>> Any ideas ?
>
> Caused by a bug in the nss package, see this thread
> https://www.redhat.com/archives/freeipa-users/2013-February/msg00195.html
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list