[Freeipa-users] Setup of freeipa 4.1.3 failed

Tue Mar 31 17:58:10 UTC 2015

On 03/31/2015 01:54 PM, Markus Roth wrote:
> Hi all,
>
> I want setup freeipa 4.1.3 on a fresh installed fedora 21.
> The ipa-server-install shows the following output:
>
> configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
>    [1/38]: creating directory server user
>    [2/38]: creating directory server instance
>    [3/38]: adding default schema
>    [4/38]: enabling memberof plugin
>    [5/38]: enabling winsync plugin
>    [6/38]: configuring replication version plugin
>    [7/38]: enabling IPA enrollment plugin
>    [8/38]: enabling ldapi
>    [9/38]: configuring uniqueness plugin
>    [10/38]: configuring uuid plugin
>    [11/38]: configuring modrdn plugin
>    [12/38]: configuring DNS plugin
>    [13/38]: enabling entryUSN plugin
>    [14/38]: configuring lockout plugin
>    [15/38]: creating indices
>    [16/38]: enabling referential integrity plugin
>    [17/38]: configuring certmap.conf
>    [18/38]: configure autobind for root
>    [19/38]: configure new location for managed entries
>    [20/38]: configure dirsrv ccache
>    [21/38]: enable SASL mapping fallback
>    [22/38]: restarting directory server
>    [23/38]: adding default layout
>    [24/38]: adding delegation layout
>    [25/38]: creating container for managed entries
>    [26/38]: configuring user private groups
>    [27/38]: configuring netgroups from hostgroups
>    [28/38]: creating default Sudo bind user
>    [29/38]: creating default Auto Member layout
>    [30/38]: adding range check plugin
>    [31/38]: creating default HBAC rule allow_all
>    [32/38]: initializing group membership
>    [33/38]: adding master entry
>    [34/38]: configuring Posix uid/gid generation
>    [35/38]: adding replication acis
>    [36/38]: enabling compatibility plugin
>    [37/38]: tuning directory server
>    [38/38]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
> seconds
>    [1/27]: creating certificate server user
>    [2/27]: configuring certificate server instance
>    [3/27]: stopping certificate server instance to update CS.cfg
>    [4/27]: backing up CS.cfg
>    [5/27]: disabling nonces
>    [6/27]: set up CRL publishing
>    [7/27]: enable PKIX certificate path discovery and validation
>    [8/27]: starting certificate server instance
>    [error] RuntimeError: CA did not start in 300.0s
> CA did not start in 300.0s
>
> The ipa server install log shows this:
>
> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start...
> 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 382, in start_creation
>      run_step(full_msg, method)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 372, in run_step
>      method()
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 526, in __start
>      self.start()
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 279, in start
>      self.service.start(instance_name, capture_output=capture_output,
> wait=wait)
>    File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 229, in start
>      self.wait_until_running()
>    File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 223, in wait_until_running
>      raise RuntimeError('CA did not start in %ss' % timeout)
> RuntimeError: CA did not start in 300.0s
>
> 2015-03-31T17:39:36Z DEBUG   [error] RuntimeError: CA did not start in 300.0s
> 2015-03-31T17:39:36Z DEBUG   File "/usr/lib/python2.7/site-
> packages/ipaserver/install/installutils.py", line 642, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-server-install", line 1183, in main
>      ca_signing_algorithm=options.ca_signing_algorithm)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 520, in configure_instance
>      self.start_creation(runtime=210)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 382, in start_creation
>      run_step(full_msg, method)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 372, in run_step
>      method()
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 526, in __start
>      self.start()
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 279, in start
>      self.service.start(instance_name, capture_output=capture_output,
> wait=wait)
>
>    File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 229, in start
>      self.wait_until_running()
>
>    File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 223, in wait_until_running
>      raise RuntimeError('CA did not start in %ss' % timeout)
>
> 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, exception:
> RuntimeError: CA did not start in 300.0s
>
> I uninstalled the ipa server completely several times and installed it again.
> But it always stops at the same step with the setup.
>
> Can anybody help?
>
> Markus.
>
Please provide install logs, and look at directory server and PKI server 
logs created during the installation.
It seems that Dogtag did not start. It usually does not start when the 
DS under it does not start. The logs would show that.
DS does not start does because of different issues. Can bind to the port 
for example. So please review the logs and see what they reveal.

This might help you with details http://www.freeipa.org/page/Troubleshooting

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.