[Freeipa-users] Error creating new freeipa-server

Bret Wortman bret.wortman at damascusgrp.com
Mon Apr 28 15:44:30 UTC 2014 

On 04/28/2014 11:17 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> So is there a recommended way to clean it up and get it working?
>
> Re-run pkidestroy, then if the subsequent IPA install fails closely 
> examine the logs to determine the reason. The problem in cases like 
> this is that the first install fails and subsequent installs mask the 
> original failure with this PKI re-install failure.
>
> rob
>
Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file 
(/tmp/tmpdCm6rt):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root at localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from 
/tmp/tmpdCm6rt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg

Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn     : ERROR   ....... server 
failed to restart

2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1
2014-04-28T15:24:46Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 622, in run_script
     return_value = main_function()

   File "/usr/sbin/ipa-server-install", line 1074, in main
     dm_password, subject_base=options.subject)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
478, in configure_instance
     self.start_creation(runtime=210)

   File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py", 
line 364, in start_creation
     method()

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
604, in __spawn_instance
     raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, 
exception: RuntimeError: Configuration of CA failed

And that's the end of the log. Nothing here looks terribly informative 
to me, and this is what the log looks like every time I look at it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140428/9cc40f3f/attachment.p7s>

More information about the Freeipa-users mailing list