[Freeipa-users] Setup of freeipa 4.1.3 failed
Endi Sukma Dewata
edewata at redhat.com
Wed Apr 1 21:56:51 UTC 2015
On 4/1/2015 4:29 PM, Markus Roth wrote:
> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
>> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
>>>>> On 03/31/2015 01:54 PM, Markus Roth wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21.
>>>
>>>>>> The ipa-server-install shows the following output:
>>> ...
>>>
>>>>>> Done configuring directory server (dirsrv).
>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>>> minutes 30
>>>>>> seconds
>>>>>>
>>>>>> [1/27]: creating certificate server user
>>>>>> [2/27]: configuring certificate server instance
>>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>>> [4/27]: backing up CS.cfg
>>>>>> [5/27]: disabling nonces
>>>>>> [6/27]: set up CRL publishing
>>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>>> [8/27]: starting certificate server instance
>>>>>> [error] RuntimeError: CA did not start in 300.0s
>>>>>>
>>>>>> CA did not start in 300.0s
>>>>>>
>>>>>> The ipa server install log shows this:
>>>>>>
>>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
>>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start...
>>>
>>> ...
>>>
>>>>>> I uninstalled the ipa server completely several times and installed
>>>>>> it again.
>>>>>> But it always stops at the same step with the setup.
>>>>>>
>>>>>> Can anybody help?
>>>
>>> Based on the IPA install log alone it looks like the DS is already
>>> started, and the Dogtag is already started too in step [3/27]. It's the
>>> restart on step [8/27] that is failing.
>>>
>>> We will need to see the Dogtag debug log in order to know if Dogtag is
>>> indeed failing to restart or the installer for some reason cannot
>>> connect to Dogtag.
>>
>> Hi Markus,
>>
>> Based on the logs that you sent me, the Dogtag took a really long time
>> to start:
>>
>> INFORMATION: Server startup in 739700 ms
>>
>> More than half of that time was spent starting the CA subsystem alone:
>>
>> INFORMATION: Deployment of configuration descriptor /etc/pki
>> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms
>>
>> The whole (failed) IPA installation took about 38 minutes. Is this correct?
>>
>> It's possible the system was running out of entropy. You might want to
>> install haveged or rngd. See:
>> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/
>> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent
>> ropy-for-cloud-servers-using-haveged
>>
>> However, the system seems to be running very slowly in general. How
>> powerful is this machine?
>
> Hi Endi
>
> the system is a banana pi system. Seems that this ARM CPU based system isn't
> suitable for FreeIPA....
The installation might still succeed if IPA doesn't have the 300s time
limit. If you want to try, you probably can specify a larger
startup_timeout in ~/.ipa/default.conf, or change the code in
ipaplatform/redhat/services.py to wait indefinitely, and see what
happens. I don't know if it will be usable though.
--
Endi S. Dewata
More information about the Freeipa-users
mailing list