[Freeipa-users] Error creating new freeipa-server

Bret Wortman bret.wortman at damascusgrp.com
Mon Apr 28 16:07:26 UTC 2014 

On 04/28/2014 11:52 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>>
>> On 04/28/2014 11:17 AM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> So is there a recommended way to clean it up and get it working?
>>>
>>> Re-run pkidestroy, then if the subsequent IPA install fails closely
>>> examine the logs to determine the reason. The problem in cases like
>>> this is that the first install fails and subsequent installs mask the
>>> original failure with this PKI re-install failure.
>>>
>>> rob
>>>
>> Okay, here's the log from when it starts configuring PKI:
>>
>> 2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server
>> instance
>> 2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file
>> (/tmp/tmpdCm6rt):
>> [CA]
>> pki_security_domain_name = IPA
>> pki_enable_proxy = True
>> pki_restart_configured_instance = False
>> pki_backup_keys = True
>> pki-backup_password = XXXXXXXX
>> pki_client_database_dir = /tmp/tmp-rVoTR2
>> pki_client_database_password = XXXXXXXX
>> pki_client_database_purge = False
>> pki_client_pkcs12_password = XXXXXXXX
>> pki_admin_name = admin
>> pki_admin_uid = admin
>> pki_admin_email = root at localhost
>> pki_admin_password = XXXXXXXX
>> pki_admin_nickname = ipa-ca-agent
>> pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
>> pki_client_admin_cert_p12 = /root/ca-agent.p12
>> pki_ds_ldap_port = 389
>> pki_ds_password = XXXXXXXX
>> pki_ds_base_dn = o=ipaca
>> pki_ds_database = ipaca
>> pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
>> pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
>> pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
>> pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
>> pki_subsystem_nickname = subsystemCert cert-pki-ca
>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
>> pki_ssl_server_nickname = Server-Cert cert-pki-ca
>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
>> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>>
>>
>> 2014-04-28T15:23:45Z DEBUG Starting external process
>> 2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f 
>> /tmp/tmpdCm6rt
>> 2014-04-28T15:23:45Z DEBUG Process finished, return code=1
>> 2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from
>> /tmp/tmpdCm6rt.
>> Installing CA into /var/lib/pki/pki-tomcat.
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
>>
>> Installation failed.
>>
>>
>> 2014-04-28T15:24:46Z DEBUG stderr=pkispawn     : ERROR   ....... server
>> failed to restart
>>
>> 2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit
>> status 1
>> 2014-04-28T15:24:46Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 622, in run_script
>>      return_value = main_function()
>>
>>    File "/usr/sbin/ipa-server-install", line 1074, in main
>>      dm_password, subject_base=options.subject)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 478, in configure_instance
>>      self.start_creation(runtime=210)
>>
>>    File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py",
>> line 364, in start_creation
>>      method()
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 604, in __spawn_instance
>>      raise RUntimeError('Configuration of CA failed')
>>
>>
>> 2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed,
>> exception: RuntimeError: Configuration of CA failed
>>
>> And that's the end of the log. Nothing here looks terribly informative
>> to me, and this is what the log looks like every time I look at it.
>>
>
> The error is different whether there is an existing PKI instance or not.
>
> The next set of logs to look at are in /var/log/pki. It says there is 
> a startup failure so I'd start with 
> */var/log/pki/pki-tomcat/catalina.out* . Also interesting may be the 
> pki-ca-spawn and debug logs found within that directory structure.
>
> I'd also look for SELinux errors with ausearch -m AVC -ts recent
This did the trick. Something was hanging out on port 8443, though 
neither lsof nor netstat would show me what it was. I rebooted the 
server and then it proceeded past this without a hiccup.

Thanks, Rob and everyone else for helping me navigate the logs!


Bret
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140428/4bbe78a8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140428/4bbe78a8/attachment.p7s>

More information about the Freeipa-users mailing list