[Freeipa-users] freeipa server install fails on fedora 20

Olga Kornievskaia aglo at umich.edu
Tue Sep 9 14:28:19 UTC 2014 

On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
>
> Thank you very much for your quick reply.
>
>  It is a brand new fedora 20 vm.
>
>
> OK good.
> Can you send or share the ipa server installation log?
>

Can you please suggest how I can do that? My original post was rejected by
the administrator of this list because I've included the install log that
compressed was  over 5M.


> Are you using a cert from AD and trying to chain to an AD CA?
>

I'm not specifying any cert options on the install command (i.e. I'm using
the default certs supplied with the install).



>
>
>
>
>  There is nothing that's running on port 443.
>
>  catalina.out is empty
> system file is attached and reports that certificate is not in pkcs11
> format.
> pki-ca-spaw.XX.log does not appear to report errors  (also attached)
>
>  Please let me know if I can enable any other debugging into that might
> be useful in figuring this out.
>
>  Thank you.
>
>
> On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>  On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
>>
>>  Can somebody help with the following problem(s) I’ve encountered while
>> trying to install the freeipa server?
>>
>>  Problem #1:
>> On fedora 20, I have:
>> 1. using yum install acquired the free-ipa-server package.
>> 2. ran ipa-server-install
>> — that has failed with “CA did not start in 300s”
>>
>>  One thing that’s noticeable in the logs (the snippet is included below)
>> is that request for request '
>> https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>> <https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27>
>>
>>  has 443 as port as for before all the requests for 8443 (e.g.., same
>> (manual) request on port 8443 succeeds). Seems like an install script
>> somewhere has the wrong port ?
>>
>>
>>  443 is the right port.
>> Do you have something already running on the same box on that port?
>> That might prevent things from installing and running.
>>
>> Please try on a clean machine or VM.
>> Also more logs will be helpful.
>> Please see this [1] on how to troubleshoot.
>>
>> The second problem is most likely an artifact of the incomplete install.
>>
>> [1] http://www.freeipa.org/page/Troubleshooting
>>
>>
>>  2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
>>
>> 2014-09-08T19:21:08Z DEBUG request '
>> https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>>
>> 2014-09-08T19:21:08Z DEBUG request body ''
>>
>> 2014-09-08T19:21:08Z DEBUG request status 503
>>
>> 2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service Unavailable'
>>
>> 2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep 2014
>> 19:21:08 GMT', 'content-length': '299', 'content-type': 'text/html;
>> charset=iso-8859-1', 'connection': 'close', 'server': 'Apache/2.4.10
>> (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC mod_wsgi/3.5
>> Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '<!DOCTYPE HTML
>> PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>503 Service
>> Unavailable</title>\n</head><body>\n<h1>Service Unavailable</h1>\n<p>The
>> server is temporarily unable to service your\nrequest due to maintenance
>> downtime or capacity\nproblems. Please try again
>> later.</p>\n</body></html>\n'
>>
>> 2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable
>>
>>  Problem #2:
>> The next problem I’m encountering and doesn’t seem to be related to the
>> CA setup is on the next step of “kinit admin”. It fails with “generic pre
>> authentication failure while getting initial credentials"
>>
>>  stracing kinit show that it tried to open file “/var/lib/sss/pubconf/
>> kdcinfo.GATEWAY.2WIRE.NET <http://kdcinfo.gateway.2wire.net/>”) and
>> fails with “no such file” error.  “pubconf” dir only has empty
>> “krb5.include.d”.
>>
>>  I don’t know if this failure is due to the fact that the setup didn’t
>> run all the way and some configuration is missing or this is a separate
>> issue .
>>
>>  Are these bugs that need to be filled with bugzilla or am I doing
>> something incorrectly?
>>
>>  Any help would be appreciated.
>>
>>  Thank you.
>>
>>
>>
>>
>>  --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140909/503f28b4/attachment.htm>

More information about the Freeipa-users mailing list