[Freeipa-users] Failure configuring certificate server instance

Scott Ryan scottlryan at gmail.com
Wed May 28 16:41:59 UTC 2014 

I noticed that the error said it could not unzip the zip file.
I installed lzo and then did a clean install and it worked.

Perhaps lzo should be a package dependency?

Thanks

On 28 May 2014 15:11, Ade Lee <alee at redhat.com> wrote:
> On Wed, 2014-05-28 at 10:37 +0100, Scott Ryan wrote:
>> I am trying to get freeIPA up and running on a minimal CentOS6.5 installation.
>> i have forward and reverse DNS setup on an external DNS server - no
>> SELinux & no iptables (for troubleshooting)
>>
>> but keep running into the following problem during installation :
>>
>>  [3/21]: configuring certificate server instance
>> ipa         : CRITICAL failed to configure ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
>> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
>> -domain_name IPA -admin_user admin -admin_email root at localhost
>> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
>> -agent_key_type rsa -agent_cert_subject
>> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
>> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
>> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
>> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>> -subsystem_name pki-cad -token_name internal
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
>> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
>> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
>> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
>> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
>> -external false -clone false' returned non-zero exit status 255
>> Configuration of CA failed
>>
>> The installation log shows this :
>>
>> 2014-05-28T09:19:47Z DEBUG importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>> ...skipping...
>>         at java.net.URLClassLoader$1.run(URLClassLoader.java:358)
>>         at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
>>         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>>         at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215)
>>         at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
>>         at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
>>         at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
>>         at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
>>         at sun.security.jca.Providers.getFullProviderList(Providers.java:176)
>>         at java.security.Security.insertProviderAt(Security.java:362)
>>         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942)
>>         at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869)
>>         at ComCrypto.loginDB(ComCrypto.java:420)
>>         at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145)
>>         at ConfigureCA.main(ConfigureCA.java:1672)
>> Caused by: java.util.zip.ZipException: error in opening zip file
>>         at java.util.zip.ZipFile.open(Native Method)
>>         at java.util.zip.ZipFile.<init>(ZipFile.java:215)
>>         at java.util.zip.ZipFile.<init>(ZipFile.java:145)
>>         at java.util.jar.JarFile.<init>(JarFile.java:153)
>>         at java.util.jar.JarFile.<init>(JarFile.java:90)
>>         at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728)
>>         at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591)
>>         at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673)
>>         at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665)
>>         at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836)
>>         ... 23 more
>>
>
> Thats a very interesting error.  Looks like something is going on at the
> nss/jss level on the client side when trying to initialize the client
> side nss database.
>
> Can you tell me what versions you have for nss, jss, pki-common,
> pkisilent, pki-ca ?
>
> rpm -q nss jss pki-common pki-silent pki-ca
>
> Thanks.
>
>> 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW
>> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig
>> -domain_name IPA -admin_user admin -admin_email root at localhost
>> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
>> -agent_key_type rsa -agent_cert_subject
>> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au
>> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
>> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
>> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>> -subsystem_name pki-cad -token_name internal
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU
>> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU
>> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU
>> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU
>> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU
>> -external false -clone false' returned non-zero exit status 255
>> 2014-05-28T09:20:15Z INFO   File
>> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
>> line 614, in run_script
>>     return_value = main_function()
>>
>> Any ideas would be helpful.
>>
>> Thanks
>
>



-- 
Scott Ryan
Mobile +44 (0)7511803027
Skype - scottlryan

More information about the Freeipa-users mailing list