[Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4
Rob Crittenden
rcritten at redhat.com
Tue Jun 2 18:43:46 UTC 2015
bahan w wrote:
> Hello everyone.
>
> @Rob, I checked indeed in the logs /var/log/pki-ca and there was a
> problem, so I performed the pki-remove command :
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
>
> After this, I was able to reproduce my initial error with the permission
> denied.
> The permission denied was occuring because the /var logical volume had a
> noexec option in the /etc/fstab.
>
> Modifying this to exec solved my problem.
> By the way, I'm not sure this is normal to execute script in /var. If I
> remember well, it was not designed for this, am I wrong ?
>
> Thank you everyone for your answers, it helped a lot.
Can you be more specific on what script was being executed? It sounds a
bit odd but it may be instance-specific scripts.
rob
f
>
> Best regards.
>
> Bahan
>
> On Mon, Jun 1, 2015 at 4:58 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> bahan w wrote:
>
> Hello everyone.
>
> I modified the /etc/selinux/config file :
> #########################################################
> # This file controls the state of SELinux on the system.
> # SELINUX=disabled
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - SELinux is fully disabled.
> SELINUX=permissive
> # SELINUXTYPE= type of policy in use. Possible values are:
> # targeted - Only targeted network daemons are protected.
> # strict - Full SELinux protection.
> SELINUXTYPE=targeted
> #########################################################
>
> Then I rebooted.
> #########################################################
> reboot
> #########################################################
>
> Here is the result of getenforce :
> #########################################################
> Permissive
> #########################################################
>
> I removed the ipa-server that I had and I tried te 3.0.0-42 :
> #########################################################
> yum install ipa-server-3.0.0-42.el6.x86_64
> Loaded plugins: security
> Setting up Install Process
> Resolving Dependencies
> --> Running transaction check
> ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed
> --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package:
> ipa-server-3.0.0-42.el6.x86_64
> --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for
> package:
> ipa-server-3.0.0-42.el6.x86_64
> --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package:
> ipa-server-3.0.0-42.el6.x86_64
> --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for
> package: ipa-server-3.0.0-42.el6.x86_64
> --> Running transaction check
> ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed
> ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed
> ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed
> ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be
> installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> ======================================================================================================================================
> Package Arch
> Version Repository Size
> ======================================================================================================================================
> Installing:
> ipa-server x86_64
> 3.0.0-42.el6 standard 1.1 M
> Installing for dependencies:
> ipa-admintools x86_64
> 3.0.0-42.el6 standard 67 k
> ipa-client x86_64
> 3.0.0-42.el6 standard 145 k
> ipa-python x86_64
> 3.0.0-42.el6 standard 928 k
> ipa-server-selinux x86_64
> 3.0.0-42.el6 standard 66 k
>
> Transaction Summary
> ======================================================================================================================================
> Install 5 Package(s)
>
> Total download size: 2.3 M
> Installed size: 9.2 M
> Is this ok [y/N]: y
> Downloading Packages:
> (1/5):
> ipa-admintools-3.0.0-42.el6.x86_64.rpm
> | 67 kB 00:00
> (2/5):
> ipa-client-3.0.0-42.el6.x86_64.rpm
> | 145 kB 00:00
> (3/5):
> ipa-python-3.0.0-42.el6.x86_64.rpm
> | 928 kB 00:00
> (4/5):
> ipa-server-3.0.0-42.el6.x86_64.rpm
> | 1.1 MB 00:00
> (5/5):
> ipa-server-selinux-3.0.0-42.el6.x86_64.rpm
> | 66 kB 00:00
> --------------------------------------------------------------------------------------------------------------------------------------
> Total
> 6.8 MB/s | 2.3 MB 00:00
> Running rpm_check_debug
> Running Transaction Test
> Transaction Test Succeeded
> Running Transaction
> Installing :
> ipa-python-3.0.0-42.el6.x86_64
> 1/5
> Installing :
> ipa-client-3.0.0-42.el6.x86_64
> 2/5
> Installing :
> ipa-admintools-3.0.0-42.el6.x86_64
> 3/5
> Installing :
> ipa-server-3.0.0-42.el6.x86_64
> 4/5
> Installing :
> ipa-server-selinux-3.0.0-42.el6.x86_64
> 5/5
> libsepol.print_missing_requirements: ipa_dogtag's global
> requirements
> were not met: type/attribute pki_ca_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such
> file or
> directory).
> semodule: Failed!
> Verifying :
> ipa-server-3.0.0-42.el6.x86_64
> 1/5
> Verifying :
> ipa-server-selinux-3.0.0-42.el6.x86_64
> 2/5
> Verifying :
> ipa-python-3.0.0-42.el6.x86_64
> 3/5
> Verifying :
> ipa-client-3.0.0-42.el6.x86_64
> 4/5
> Verifying :
> ipa-admintools-3.0.0-42.el6.x86_64
> 5/5
>
> Installed:
> ipa-server.x86_64 0:3.0.0-42.el6
>
> Dependency Installed:
> ipa-admintools.x86_64 0:3.0.0-42.el6
> ipa-client.x86_64
> 0:3.0.0-42.el6 ipa-python.x86_64 0:3.0.0-42.el6
> ipa-server-selinux.x86_64 0:3.0.0-42.el6
>
> Complete!
> #########################################################
>
> The errors linked with dogtag is still there.
> Now, when I tried to run the ipa-server-install command here is
> what I
> have :
> #########################################################
> Continue to configure the system with these values? [no]: yes
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server for the CA (pkids): Estimated time
> 30 seconds
> [1/3]: creating directory server user
> [2/3]: creating directory server instance
> [3/3]: restarting directory server
> Done configuring directory server for the CA (pkids).
> Configuring certificate server (pki-cad): Estimated time 3
> minutes 30
> seconds
> [1/20]: creating certificate server user
> [2/20]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST
> -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd
> XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA
> -admin_user
> admin -admin_email root at localhost -admin_password XXXXXXXX
> -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM
> -ca_server_cert_subject_name CN=MYHOST,O=MYREALM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM
> -external
> false -clone false' returned non-zero exit status 255
> Configuration of CA failed
> #########################################################
>
> And here is what I found in the ipasrever-install.log :
> #########################################################
> 2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send
> Request:java.net <http://java.net>.ConnectException: Connection
> refused
> java.net.ConnectException: Connection refused
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at
> java.net
> <http://java.net>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
> at
> java.net
> <http://java.net>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
> at
> java.net
> <http://java.net>.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
> at
> java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385)
> at java.net.Socket.connect(Socket.java:546)
> at java.net.Socket.connect(Socket.java:495)
> at java.net.Socket.<init>(Socket.java:392)
> at java.net.Socket.<init>(Socket.java:235)
> at HTTPClient.sslConnect(HTTPClient.java:326)
> at ConfigureCA.LoginPanel(ConfigureCA.java:244)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
> java.lang.NullPointerException
> at ConfigureCA.LoginPanel(ConfigureCA.java:245)
> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
> at ConfigureCA.main(ConfigureCA.java:1672)
>
> 2015-06-01T07:38:43Z CRITICAL failed to configure ca instance
> Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST
> -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd
> XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA
> -admin_user
> admin -admin_email root at localhost -admin_password XXXXXXXX
> -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM
> -ca_server_cert_subject_name CN=MYHOST,O=MYREALM
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM
> -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM
> -external
> false -clone false' returned non-zero exit status 255
> 2015-06-01T07:38:43Z INFO File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
> line 614, in run_script
> return_value = main_function()
>
> File "/usr/sbin/ipa-server-install", line 942, in main
> subject_base=options.subject)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line
> 626, in configure_instance
> self.start_creation(runtime=210)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
> method()
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line
> 888, in __configure_instance
> raise RuntimeError('Configuration of CA failed')
>
> 2015-06-01T07:38:43Z INFO The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
> #########################################################
>
> I'm not really sure permissive mode with SELinux is helping in fact.
>
>
> I'd poke around in the CA logs in /var/log/pki-ca. It may be that
> the CA isn't really starting up, or the web app isn't starting.
> There are a lot of red herrings in the logs, and things can cascade,
> so I'd start at the top and work my way down.
>
> rob
>
>
More information about the Freeipa-users
mailing list