[Freeipa-users] Failure configuring certificate server instance

Scott Ryan scottlryan at gmail.com
Wed May 28 09:37:06 UTC 2014 

I am trying to get freeIPA up and running on a minimal CentOS6.5 installation.
i have forward and reverse DNS setup on an external DNS server - no
SELinux & no iptables (for troubleshooting)

but keep running into the following problem during installation :

 [3/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
-client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
-domain_name IPA -admin_user admin -admin_email root at localhost
-admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
-ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
-ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
-ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
-external false -clone false' returned non-zero exit status 255
Configuration of CA failed

The installation log shows this :

2014-05-28T09:19:47Z DEBUG importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
...skipping...
        at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215)
        at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
        at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
        at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
        at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
        at java.security.Security.insertProviderAt(Security.java:362)
        at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942)
        at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869)
        at ComCrypto.loginDB(ComCrypto.java:420)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145)
        at ConfigureCA.main(ConfigureCA.java:1672)
Caused by: java.util.zip.ZipException: error in opening zip file
        at java.util.zip.ZipFile.open(Native Method)
        at java.util.zip.ZipFile.<init>(ZipFile.java:215)
        at java.util.zip.ZipFile.<init>(ZipFile.java:145)
        at java.util.jar.JarFile.<init>(JarFile.java:153)
        at java.util.jar.JarFile.<init>(JarFile.java:90)
        at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728)
        at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591)
        at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673)
        at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665)
        at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836)
        ... 23 more

2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
-client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
-domain_name IPA -admin_user admin -admin_email root at localhost
-admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
-ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
-ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
-ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
-external false -clone false' returned non-zero exit status 255
2014-05-28T09:20:15Z INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
    return_value = main_function()

Any ideas would be helpful.

Thanks
-- 
Scott Ryan

More information about the Freeipa-users mailing list