[Freeipa-users] Error creating new freeipa-server

[Rob Crittenden]

Bret Wortman wrote:
>
> On 04/28/2014 11:17 AM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> So is there a recommended way to clean it up and get it working?
>>
>> Re-run pkidestroy, then if the subsequent IPA install fails closely
>> examine the logs to determine the reason. The problem in cases like
>> this is that the first install fails and subsequent installs mask the
>> original failure with this PKI re-install failure.
>>
>> rob
>>
> Okay, here's the log from when it starts configuring PKI:
>
> 2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server
> instance
> 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file
> (/tmp/tmpdCm6rt):
> [CA]
> pki_security_domain_name = IPA
> pki_enable_proxy = True
> pki_restart_configured_instance = False
> pki_backup_keys = True
> pki-backup_password = XXXXXXXX
> pki_client_database_dir = /tmp/tmp-rVoTR2
> pki_client_database_password = XXXXXXXX
> pki_client_database_purge = False
> pki_client_pkcs12_password = XXXXXXXX
> pki_admin_name = admin
> pki_admin_uid = admin
> pki_admin_email = root at localhost
> pki_admin_password = XXXXXXXX
> pki_admin_nickname = ipa-ca-agent
> pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
> pki_client_admin_cert_p12 = /root/ca-agent.p12
> pki_ds_ldap_port = 389
> pki_ds_password = XXXXXXXX
> pki_ds_base_dn = o=ipaca
> pki_ds_database = ipaca
> pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
> pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
> pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
> pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
> pki_subsystem_nickname = subsystemCert cert-pki-ca
> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
> pki_ssl_server_nickname = Server-Cert cert-pki-ca
> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>
>
> 2014-04-28T15:23:45Z DEBUG Starting external process
> 2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
> 2014-04-28T15:23:45Z DEBUG Process finished, return code=1
> 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from
> /tmp/tmpdCm6rt.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
>
> Installation failed.
>
>
> 2014-04-28T15:24:46Z DEBUG stderr=pkispawn     : ERROR   ....... server
> failed to restart
>
> 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit
> status 1
> 2014-04-28T15:24:46Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 622, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-server-install", line 1074, in main
>      dm_password, subject_base=options.subject)
>
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 478, in configure_instance
>      self.start_creation(runtime=210)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py",
> line 364, in start_creation
>      method()
>
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 604, in __spawn_instance
>      raise RUntimeError('Configuration of CA failed')
>
>
> 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> And that's the end of the log. Nothing here looks terribly informative
> to me, and this is what the log looks like every time I look at it.
>

The error is different whether there is an existing PKI instance or not.

The next set of logs to look at are in /var/log/pki. It says there is a 
startup failure so I'd start with /var/log/pki/pki-tomcat/catalina.out . 
Also interesting may be the pki-ca-spawn and debug logs found within 
that directory structure.

I'd also look for SELinux errors with ausearch -m AVC -ts recent

rob