[Freeipa-users] freeipa server install fails on fedora 20

Olga Kornievskaia aglo at umich.edu
Tue Sep 9 15:27:14 UTC 2014 

On Tue, Sep 9, 2014 at 10:41 AM, Rob Crittenden <rcritten at redhat.com> wrote:

> Olga Kornievskaia wrote:
> >
> >
> > On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal <dpal at redhat.com
> > <mailto:dpal at redhat.com>> wrote:
> >
> >     On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
> >>     Thank you very much for your quick reply.
> >>
> >>     It is a brand new fedora 20 vm.
> >
> >     OK good.
> >     Can you send or share the ipa server installation log?
> >
> >
> > Can you please suggest how I can do that? My original post was rejected
> > by the administrator of this list because I've included the install log
> > that compressed was  over 5M.
>
> If you have a web/ftp server available you can put it there for download.
>

I have put the files in google drive and they should be accessible via this
link:
freeipa-install-logs -
https://drive.google.com/folderview?id=0B7NX-2naBL7GWXVIOS11YnZLZWM&usp=sharing

Please let me know if there are problems accessing it.


>
> I'd look at the catalina.* logs in /var/log/pki/pki-tomcat and debug in
> the ca subdirectory. Those are more likely to hold startup failures.
>

I have included the "debug", "ca-spawn", and snippet of "journalctl" output
files. Personally, I wasn't able to find any error messages in there.

Thank you.


> journalctl may hold information on why it didn't start too.
>
> Incidentally, the second problem is likely related to the first. The
> installation didn't succeed so the system state is indeterminate.



>
> rob
>
> >
> >
> >     Are you using a cert from AD and trying to chain to an AD CA?
> >
> >
> > I'm not specifying any cert options on the install command (i.e. I'm
> > using the default certs supplied with the install).
> >
> >
> >
> >
> >
> >
> >>
> >>     There is nothing that's running on port 443.
> >>
> >>     catalina.out is empty
> >>     system file is attached and reports that certificate is not in
> >>     pkcs11 format.
> >>     pki-ca-spaw.XX.log does not appear to report errors  (also attached)
> >>
> >>     Please let me know if I can enable any other debugging into that
> >>     might be useful in figuring this out.
> >>
> >>     Thank you.
> >>
> >>
> >>     On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <dpal at redhat.com
> >>     <mailto:dpal at redhat.com>> wrote:
> >>
> >>         On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
> >>>         Can somebody help with the following problem(s) I’ve
> >>>         encountered while trying to install the freeipa server?
> >>>
> >>>         Problem #1:
> >>>         On fedora 20, I have:
> >>>         1. using yum install acquired the free-ipa-server package.
> >>>         2. ran ipa-server-install
> >>>         — that has failed with “CA did not start in 300s”
> >>>
> >>>         One thing that’s noticeable in the logs (the snippet is
> >>>         included below) is that request for request
> >>>         'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
> >>>         <https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27>
> >>>
> >>>         has 443 as port as for before all the requests for 8443
> >>>         (e.g.., same (manual) request on port 8443 succeeds). Seems
> >>>         like an install script somewhere has the wrong port ?
> >>
> >>         443 is the right port.
> >>         Do you have something already running on the same box on that
> >>         port?
> >>         That might prevent things from installing and running.
> >>
> >>         Please try on a clean machine or VM.
> >>         Also more logs will be helpful.
> >>         Please see this [1] on how to troubleshoot.
> >>
> >>         The second problem is most likely an artifact of the
> >>         incomplete install.
> >>
> >>         [1] http://www.freeipa.org/page/Troubleshooting
> >>
> >>>
> >>>         2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG request
> >>>         'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG request body ''
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG request status 503
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
> >>>         Unavailable'
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08
> >>>         Sep 2014 19:21:08 GMT', 'content-length': '299',
> >>>         'content-type': 'text/html; charset=iso-8859-1',
> >>>         'connection': 'close', 'server': 'Apache/2.4.10 (Fedora)
> >>>         mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
> >>>         mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request
> >>>         body '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
> >>>         2.0//EN">\n<html><head>\n<title>503 Service
> >>>         Unavailable</title>\n</head><body>\n<h1>Service
> >>>         Unavailable</h1>\n<p>The server is temporarily unable to
> >>>         service your\nrequest due to maintenance downtime or
> >>>         capacity\nproblems. Please try again
> >>>         later.</p>\n</body></html>\n'
> >>>
> >>>         2014-09-08T19:21:08Z DEBUG The CA status is: Service
> Unavailable
> >>>
> >>>
> >>>         Problem #2:
> >>>         The next problem I’m encountering and doesn’t seem to be
> >>>         related to the CA setup is on the next step of “kinit admin”.
> >>>         It fails with “generic pre authentication failure while
> >>>         getting initial credentials"
> >>>
> >>>         stracing kinit show that it tried to open file
> >>>         “/var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET
> >>>         <http://kdcinfo.gateway.2wire.net/>”) and fails with “no such
> >>>         file” error.  “pubconf” dir only has empty “krb5.include.d”.
> >>>
> >>>         I don’t know if this failure is due to the fact that the
> >>>         setup didn’t run all the way and some configuration is
> >>>         missing or this is a separate issue .
> >>>
> >>>         Are these bugs that need to be filled with bugzilla or am I
> >>>         doing something incorrectly?
> >>>
> >>>         Any help would be appreciated.
> >>>
> >>>         Thank you.
> >>>
> >>>
> >>
> >>
> >>         --
> >>         Thank you,
> >>         Dmitri Pal
> >>
> >>         Sr. Engineering Manager IdM portfolio
> >>         Red Hat, Inc.
> >>
> >>
> >>         --
> >>         Manage your subscription for the Freeipa-users mailing list:
> >>         https://www.redhat.com/mailman/listinfo/freeipa-users
> >>         Go To http://freeipa.org for more info on the project
> >>
> >>
> >
> >
> >     --
> >     Thank you,
> >     Dmitri Pal
> >
> >     Sr. Engineering Manager IdM portfolio
> >     Red Hat, Inc.
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140909/133422ad/attachment.htm>

More information about the Freeipa-users mailing list