[Freeipa-users] Unable to Install IPA

Rob Crittenden rcritten at redhat.com
Sat Feb 28 06:18:06 UTC 2015 

Hadoop Solutions wrote:
> Hi Rob,
> 
> please find the attached log of /var/log/ipaserver-install.log 
> 
> kindly let me know the solution for this..

Can you see if you have any SElinux failures?

# ausearch -m AVC -ts recent

I see some SELinux errors in the log. Not sure if this is it or not but
for some reason the dogtag SELinux policy doesn't always install
correctly. The fix seems to be to re-install the pki-selinux package.

You'll also need to run pkiremove manually after running
ipa-server-install --uninstall. It doesn't always record the fact that a
service install is attempted and fails.

# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force

rob

> 
> Thanks,
> Shaik
> 
> On 28 February 2015 at 11:29, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Hadoop Solutions wrote:
>     > Hi,
>     >
>     > i am trying to install IPA on RHEL 6, but i am getting following errors
>     > while installing the IPA.
>     >
>     > Configuring certificate server (pki-cad): Estimated time 3 minutes 30
>     > seconds
>     >   [1/20]: creating certificate server user
>     >   [2/20]: configuring certificate server instance
>     > ipa         : CRITICAL failed to configure ca instance Command
>     > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>     > sv2lxdpdsedi02.corp.equinix.com
>     <http://sv2lxdpdsedi02.corp.equinix.com>
>     <http://sv2lxdpdsedi02.corp.equinix.com>
>     > -cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE -client_certdb_pwd
>     > XXXXXXXX -preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA -admin_user
>     > admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name
>     > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>     > -agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host
>     > sv2lxdpdsedi02.corp.equinix.com
>     <http://sv2lxdpdsedi02.corp.equinix.com>
>     <http://sv2lxdpdsedi02.corp.equinix.com>
>     > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
>     > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
>     > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>     > -subsystem_name pki-cad -token_name internal
>     > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
>     > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
>     > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP
>     > -ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com <http://sv2lxdpdsedi02.corp.equinix.com>
>     > <http://sv2lxdpdsedi02.corp.equinix.com>,O=LAB.BDP
>     > -ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP
>     > -ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP -external
>     > false -clone false' returned non-zero exit status 255
>     > Configuration of CA failed
> 
>     You'll find more relevant error messages in the full
>     /var/log/ipaserver-install.log and /var/log/pki-ca/debug
> 
>     rob
> 
>

More information about the Freeipa-users mailing list