[Freeipa-users] Setup of freeipa 4.1.3 failed
Markus Roth
markus at die5roths.de
Wed Apr 1 22:06:08 UTC 2015
Am Mittwoch, 1. April 2015, 16:56:51 schrieb Endi Sukma Dewata:
> On 4/1/2015 4:29 PM, Markus Roth wrote:
> > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
> >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
> >>>>> On 03/31/2015 01:54 PM, Markus Roth wrote:
> >>>>>> Hi all,
> >>>>>>
> >>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21.
> >>>
> >>>>>> The ipa-server-install shows the following output:
> >>> ...
> >>>
> >>>>>> Done configuring directory server (dirsrv).
> >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
> >>>>>> minutes 30
> >>>>>> seconds
> >>>>>>
> >>>>>> [1/27]: creating certificate server user
> >>>>>> [2/27]: configuring certificate server instance
> >>>>>> [3/27]: stopping certificate server instance to update CS.cfg
> >>>>>> [4/27]: backing up CS.cfg
> >>>>>> [5/27]: disabling nonces
> >>>>>> [6/27]: set up CRL publishing
> >>>>>> [7/27]: enable PKIX certificate path discovery and validation
> >>>>>> [8/27]: starting certificate server instance
> >>>>>> [error] RuntimeError: CA did not start in 300.0s
> >>>>>>
> >>>>>> CA did not start in 300.0s
> >>>>>>
> >>>>>> The ipa server install log shows this:
> >>>>>>
> >>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
> >>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start...
> >>>
> >>> ...
> >>>
> >>>>>> I uninstalled the ipa server completely several times and installed
> >>>>>> it again.
> >>>>>> But it always stops at the same step with the setup.
> >>>>>>
> >>>>>> Can anybody help?
> >>>
> >>> Based on the IPA install log alone it looks like the DS is already
> >>> started, and the Dogtag is already started too in step [3/27]. It's the
> >>> restart on step [8/27] that is failing.
> >>>
> >>> We will need to see the Dogtag debug log in order to know if Dogtag is
> >>> indeed failing to restart or the installer for some reason cannot
> >>> connect to Dogtag.
> >>
> >> Hi Markus,
> >>
> >> Based on the logs that you sent me, the Dogtag took a really long time
> >>
> >> to start:
> >> INFORMATION: Server startup in 739700 ms
> >>
> >> More than half of that time was spent starting the CA subsystem alone:
> >> INFORMATION: Deployment of configuration descriptor /etc/pki
> >> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms
> >>
> >> The whole (failed) IPA installation took about 38 minutes. Is this
> >> correct?
> >>
> >> It's possible the system was running out of entropy. You might want to
> >> install haveged or rngd. See:
> >> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/
> >> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-> >> ent ropy-for-cloud-servers-using-haveged
> >>
> >> However, the system seems to be running very slowly in general. How
> >> powerful is this machine?
> >
> > Hi Endi
> >
> > the system is a banana pi system. Seems that this ARM CPU based system
> > isn't suitable for FreeIPA....
>
> The installation might still succeed if IPA doesn't have the 300s time
> limit. If you want to try, you probably can specify a larger
> startup_timeout in ~/.ipa/default.conf, or change the code in
> ipaplatform/redhat/services.py to wait indefinitely, and see what
> happens. I don't know if it will be usable though.
I will try it in the next days. I'll give feedback if IPA is suitable as small
server (four users).
More information about the Freeipa-users
mailing list