[Freeipa-users] Configuration of CA failed
Martin Basti
mbasti at redhat.com
Thu May 14 17:26:11 UTC 2015
On 14/05/15 13:54, Remigio Moncayo Serrano wrote:
>
> I fail to see the problem in the logs so I’m attaching the file here
>
> *De:*Martin Basti [mailto:mbasti at redhat.com]
> *Enviado el:* jueves, 14 de mayo de 2015 13:05
> *Para:* Remigio Moncayo Serrano; freeipa-users at redhat.com
> *Asunto:* Re: [Freeipa-users] Configuration of CA failed
>
> On 14/05/15 11:58, Remigio Moncayo Serrano wrote:
>
> Hello,
>
> I’ve been put in charge of implementing a solution that uses LDAP
> and kerberos authentication. At first thought I should use
> openLDAP and Kerberos but found freeIPA and looks really cool,
> however, when trying to install I keep getting this error about
> configuration of CA:
>
> The following operations may take some minutes to complete.
>
> Please wait until the prompt is returned.
>
> Configuring NTP daemon (ntpd)
>
> [1/4]: stopping ntpd
>
> [2/4]: writing configuration
>
> [3/4]: configuring ntpd to start on boot
>
> [4/4]: starting ntpd
>
> Done configuring NTP daemon (ntpd).
>
> Configuring directory server for the CA (pkids): Estimated time 30
> seconds
>
> [1/3]: creating directory server user
>
> [2/3]: creating directory server instance
>
> [3/3]: restarting directory server
>
> ipa : CRITICAL Failed to restart the directory server. See
> the installation log for details.
>
> Done configuring directory server for the CA (pkids).
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes
> 30 seconds
>
> [1/20]: creating certificate server user
>
> [2/20]: configuring certificate server instance
>
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipatest.ingenia.local -cs_port 9445 -client_certdb_dir
> /tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin
> f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin
> -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host
> ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
> -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad
> -token_name internal -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP
> Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name
> CN=ipatest.ingenia.local,O=INGENIA.LOCAL
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL
> -ca_sign_cert_subject_name CN=Certificate
> Authority,O=INGENIA.LOCAL -external false -clone false' returned
> non-zero exit status 255
>
> Configuration of CA failed
>
> I’m including two install logs, one with dns-setup and the other
> without it. Don’t really know what I’m doing wrong, thought maybe
> I should allow connections to certain ports in ip tables or
> something but have no clue really and I’m quite new to this, help
> please..
>
> Regards,
>
> Remigio
>
>
>
> Hello,
>
> can you please check error logs of DS?
> /var/log/dirsrv/slapd-*/errors
>
> And please post here an error why DS restart failed.
>
> Martin
>
> --
> Martin Basti
indeed, log looks good.
There is some issue that IPA cannot verify DS on port 7389.
Can you answer the questions asked by Martin Kosek, please?
Martin
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150514/140b2fe8/attachment.htm>
More information about the Freeipa-users
mailing list