[Freeipa-users] freeipa server install fails on fedora 20

Dmitri Pal dpal at redhat.com
Mon Sep 8 23:41:57 UTC 2014 

On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
> Thank you very much for your quick reply.
>
> It is a brand new fedora 20 vm.

OK good.
Can you send or share the ipa server installation log?

Are you using a cert from AD and trying to chain to an AD CA?


>
> There is nothing that's running on port 443.
>
> catalina.out is empty
> system file is attached and reports that certificate is not in pkcs11 
> format.
> pki-ca-spaw.XX.log does not appear to report errors  (also attached)
>
> Please let me know if I can enable any other debugging into that might 
> be useful in figuring this out.
>
> Thank you.
>
>
> On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
>>     Can somebody help with the following problem(s) I’ve encountered
>>     while trying to install the freeipa server?
>>
>>     Problem #1:
>>     On fedora 20, I have:
>>     1. using yum install acquired the free-ipa-server package.
>>     2. ran ipa-server-install
>>     — that has failed with “CA did not start in 300s”
>>
>>     One thing that’s noticeable in the logs (the snippet is included
>>     below) is that request for request
>>     'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>>     <https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27>
>>
>>     has 443 as port as for before all the requests for 8443 (e.g..,
>>     same (manual) request on port 8443 succeeds). Seems like an
>>     install script somewhere has the wrong port ?
>
>     443 is the right port.
>     Do you have something already running on the same box on that port?
>     That might prevent things from installing and running.
>
>     Please try on a clean machine or VM.
>     Also more logs will be helpful.
>     Please see this [1] on how to troubleshoot.
>
>     The second problem is most likely an artifact of the incomplete
>     install.
>
>     [1] http://www.freeipa.org/page/Troubleshooting
>
>>
>>     2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
>>
>>     2014-09-08T19:21:08Z DEBUG request
>>     'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>>
>>     2014-09-08T19:21:08Z DEBUG request body ''
>>
>>     2014-09-08T19:21:08Z DEBUG request status 503
>>
>>     2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
>>     Unavailable'
>>
>>     2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep
>>     2014 19:21:08 GMT', 'content-length': '299', 'content-type':
>>     'text/html; charset=iso-8859-1', 'connection': 'close', 'server':
>>     'Apache/2.4.10 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6
>>     NSS/3.15.3 Basic ECC mod_wsgi/3.5
>>     Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '<!DOCTYPE
>>     HTML PUBLIC "-//IETF//DTD HTML
>>     2.0//EN">\n<html><head>\n<title>503 Service
>>     Unavailable</title>\n</head><body>\n<h1>Service
>>     Unavailable</h1>\n<p>The server is temporarily unable to service
>>     your\nrequest due to maintenance downtime or capacity\nproblems.
>>     Please try again later.</p>\n</body></html>\n'
>>
>>     2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable
>>
>>
>>     Problem #2:
>>     The next problem I’m encountering and doesn’t seem to be related
>>     to the CA setup is on the next step of “kinit admin”. It fails
>>     with “generic pre authentication failure while getting initial
>>     credentials"
>>
>>     stracing kinit show that it tried to open file
>>     “/var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET
>>     <http://kdcinfo.gateway.2wire.net/>”) and fails with “no such
>>     file” error.  “pubconf” dir only has empty “krb5.include.d”.
>>
>>     I don’t know if this failure is due to the fact that the setup
>>     didn’t run all the way and some configuration is missing or this
>>     is a separate issue .
>>
>>     Are these bugs that need to be filled with bugzilla or am I doing
>>     something incorrectly?
>>
>>     Any help would be appreciated.
>>
>>     Thank you.
>>
>>
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140908/32fbb721/attachment.htm>

More information about the Freeipa-users mailing list