[Freeipa-users] Failure configuring certificate server instance

Ade Lee alee at redhat.com
Wed May 28 14:11:27 UTC 2014


On Wed, 2014-05-28 at 10:37 +0100, Scott Ryan wrote:
> I am trying to get freeIPA up and running on a minimal CentOS6.5 installation.
> i have forward and reverse DNS setup on an external DNS server - no
> SELinux & no iptables (for troubleshooting)
> 
> but keep running into the following problem during installation :
> 
>  [3/21]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
> -external false -clone false' returned non-zero exit status 255
> Configuration of CA failed
> 
> The installation log shows this :
> 
> 2014-05-28T09:19:47Z DEBUG importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
> ...skipping...
>         at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
>         at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
>         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>         at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215)
>         at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
>         at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
>         at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
>         at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
>         at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
>         at java.security.Security.insertProviderAt(Security.java:362)
>         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942)
>         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869)
>         at ComCrypto.loginDB(ComCrypto.java:420)
>         at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145)
>         at ConfigureCA.main(ConfigureCA.java:1672)
> Caused by: java.util.zip.ZipException: error in opening zip file
>         at java.util.zip.ZipFile.open(Native Method)
>         at java.util.zip.ZipFile.<init>(ZipFile.java:215)
>         at java.util.zip.ZipFile.<init>(ZipFile.java:145)
>         at java.util.jar.JarFile.<init>(JarFile.java:153)
>         at java.util.jar.JarFile.<init>(JarFile.java:90)
>         at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728)
>         at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591)
>         at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673)
>         at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665)
>         at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836)
>         ... 23 more
> 

Thats a very interesting error.  Looks like something is going on at the
nss/jss level on the client side when trying to initialize the client
side nss database.

Can you tell me what versions you have for nss, jss, pki-common,
pkisilent, pki-ca ?

rpm -q nss jss pki-common pki-silent pki-ca

Thanks.

> 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
> -external false -clone false' returned non-zero exit status 255
> 2014-05-28T09:20:15Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
>     return_value = main_function()
> 
> Any ideas would be helpful.
> 
> Thanks





More information about the Freeipa-users mailing list