[Freeipa-users] FreeIPA installation bug on F18 while "requesting RA certificate from CA"

Robert M. Albrecht lists at romal.de
Wed Feb 13 20:03:16 UTC 2013 

Hi Rob,

yes, worked after downgrading nss* and xulrunner & firefox because of deps.

Thanks.

cu romal


Am 13.02.13 15:48, schrieb Rob Crittenden:
> Robert M. Albrecht wrote:
>> Hi,
>>
>>
>> Configuring NTP daemon (ntpd)
>>    [1/4]: stopping ntpd
>>    [2/4]: writing configuration
>>    [3/4]: configuring ntpd to start on boot
>>    [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv): Estimated time 1 minute
>>    [1/36]: creating directory server user
>>    [2/36]: creating directory server instance
>>    [3/36]: adding default schema
>>    [4/36]: enabling memberof plugin
>>    [5/36]: enabling winsync plugin
>>    [6/36]: configuring replication version plugin
>>    [7/36]: enabling IPA enrollment plugin
>>    [8/36]: enabling ldapi
>>    [9/36]: configuring uniqueness plugin
>>    [10/36]: configuring uuid plugin
>>    [11/36]: configuring modrdn plugin
>>    [12/36]: enabling entryUSN plugin
>>    [13/36]: configuring lockout plugin
>>    [14/36]: creating indices
>>    [15/36]: enabling referential integrity plugin
>>    [16/36]: configuring certmap.conf
>>    [17/36]: configure autobind for root
>>    [18/36]: configure new location for managed entries
>>    [19/36]: restarting directory server
>>    [20/36]: adding default layout
>>    [21/36]: adding delegation layout
>>    [22/36]: adding replication acis
>>    [23/36]: creating container for managed entries
>>    [24/36]: configuring user private groups
>>    [25/36]: configuring netgroups from hostgroups
>>    [26/36]: creating default Sudo bind user
>>    [27/36]: creating default Auto Member layout
>>    [28/36]: adding range check plugin
>>    [29/36]: creating default HBAC rule allow_all
>>    [30/36]: Upload CA cert to the directory
>> ipa         : CRITICAL Failed to load upload-cacert.ldif: Command
>> '/usr/bin/ldapmodify -v -f /tmp/tmpSkzd0p -H
>> ldap://gutenberg.vorlon.lan:389 -x -D cn=Directory Manager -y
>> /tmp/tmpVB45G5' returned non-zero exit status 247
>>    [31/36]: initializing group membership
>>    [32/36]: adding master entry
>>    [33/36]: configuring Posix uid/gid generation
>>    [34/36]: enabling compatibility plugin
>>    [35/36]: tuning directory server
>>    [36/36]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>>    [1/20]: creating certificate server user
>>    [2/20]: configuring certificate server instance
>>    [3/20]: disabling nonces
>>    [4/20]: creating RA agent certificate database
>>    [5/20]: importing CA chain to RA certificate database
>>    [6/20]: fixing RA database permissions
>>    [7/20]: setting up signing cert profile
>>    [8/20]: set up CRL publishing
>>    [9/20]: set certificate subject base
>>    [10/20]: enabling Subject Key Identifier
>>    [11/20]: enabling CRL and OCSP extensions for certificates
>>    [12/20]: setting audit signing renewal to 2 years
>>    [13/20]: configuring certificate server to start on boot
>>    [14/20]: restarting certificate server
>>    [15/20]: requesting RA certificate from CA
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>> [root at gutenberg ~]#
>>
>> from /var/log/ipaserver-install.log
>>
>> 2013-02-13T14:38:15Z DEBUG stderr=
>> 2013-02-13T14:38:15Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2013-02-13T14:38:15Z DEBUG   duration: 0 seconds
>> 2013-02-13T14:38:15Z DEBUG   [14/20]: restarting certificate server
>> 2013-02-13T14:38:15Z DEBUG Starting external process
>> 2013-02-13T14:38:15Z DEBUG args=/bin/systemctl restart
>> pki-tomcatd at pki-tomcat.service
>> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:19Z DEBUG stdout=
>> 2013-02-13T14:38:19Z DEBUG stderr=
>> 2013-02-13T14:38:19Z DEBUG Starting external process
>> 2013-02-13T14:38:19Z DEBUG args=/bin/systemctl is-active
>> pki-tomcatd at pki-tomcat.service
>> 2013-02-13T14:38:19Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:19Z DEBUG stdout=active
>>
>> 2013-02-13T14:38:19Z DEBUG stderr=
>> 2013-02-13T14:38:19Z DEBUG wait_for_open_ports: localhost [8080, 8443]
>> timeout 120
>> 2013-02-13T14:38:25Z DEBUG The httpd proxy is not installed, skipping
>> wait for CA
>> 2013-02-13T14:38:25Z DEBUG   duration: 9 seconds
>> 2013-02-13T14:38:25Z DEBUG   [15/20]: requesting RA certificate from CA
>> 2013-02-13T14:38:25Z DEBUG Starting external process
>> 2013-02-13T14:38:25Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f
>> XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=VORLON.LAN -z /tmp/tmpQoA4BN -a
>> 2013-02-13T14:38:31Z DEBUG Process finished, return code=0
>> 2013-02-13T14:38:31Z DEBUG
>> stdout=^X^\<FB><ED>5^@^@^@^X^\<FB><ED>5^@^@^@^P<FD><81>^A^@^@^@^@^P<FD><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@!^F^@^@^@^@^@^@<98>^W<FB><ED>5^@^@^@<A0><F9><81>^A^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><8D><81>^A^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@`^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>>
>> 2013-02-13T14:38:31Z DEBUG stderr=
>>
>> Generating key.  This may take a few moments...
>>
>>
>> 2013-02-13T14:38:47Z INFO   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 617, in run_script
>>      return_value = main_function()
>>
>>    File "/sbin/ipa-server-install", line 986, in main
>>      dm_password, subject_base=options.subject)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 621, in configure_instance
>>      self.start_creation(runtime=210)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 358, in start_creation
>>      method()
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1219, in __request_ra_certificate
>>      self.requestId = item_node[0].childNodes[0].data
>>
>> 2013-02-13T14:38:47Z INFO The ipa-server-install command failed,
>> exception: IndexError: list index out of range
>> (END)
>>
>>
>> There are no special charters in any password.
>>
>> Any ideas ?
>
> Caused by a bug in the nss package, see this thread
> https://www.redhat.com/archives/freeipa-users/2013-February/msg00195.html
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list