[Freeipa-users] Configuration of CA failed

Martin Basti mbasti at redhat.com
Thu May 14 17:26:11 UTC 2015 

On 14/05/15 13:54, Remigio Moncayo Serrano wrote:
>
> I fail to see the problem in the logs so I’m attaching the file here
>
> *De:*Martin Basti [mailto:mbasti at redhat.com]
> *Enviado el:* jueves, 14 de mayo de 2015 13:05
> *Para:* Remigio Moncayo Serrano; freeipa-users at redhat.com
> *Asunto:* Re: [Freeipa-users] Configuration of CA failed
>
> On 14/05/15 11:58, Remigio Moncayo Serrano wrote:
>
>     Hello,
>
>     I’ve been put in charge of implementing a solution that uses LDAP
>     and kerberos authentication. At first thought I should use
>     openLDAP and Kerberos but found freeIPA and looks really cool,
>     however, when trying to install I keep getting this error about
>     configuration of CA:
>
>     The following operations may take some minutes to complete.
>
>     Please wait until the prompt is returned.
>
>     Configuring NTP daemon (ntpd)
>
>       [1/4]: stopping ntpd
>
>       [2/4]: writing configuration
>
>       [3/4]: configuring ntpd to start on boot
>
>       [4/4]: starting ntpd
>
>     Done configuring NTP daemon (ntpd).
>
>     Configuring directory server for the CA (pkids): Estimated time 30
>     seconds
>
>       [1/3]: creating directory server user
>
>       [2/3]: creating directory server instance
>
>       [3/3]: restarting directory server
>
>     ipa         : CRITICAL Failed to restart the directory server. See
>     the installation log for details.
>
>     Done configuring directory server for the CA (pkids).
>
>     Configuring certificate server (pki-cad): Estimated time 3 minutes
>     30 seconds
>
>       [1/20]: creating certificate server user
>
>       [2/20]: configuring certificate server instance
>
>     ipa         : CRITICAL failed to configure ca instance Command
>     '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>     ipatest.ingenia.local -cs_port 9445 -client_certdb_dir
>     /tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin
>     f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin
>     -admin_email root at localhost -admin_password XXXXXXXX -agent_name
>     ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>     -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host
>     ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory
>     Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
>     -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
>     -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad
>     -token_name internal -ca_subsystem_cert_subject_name CN=CA
>     Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA
>     Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP
>     Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name
>     CN=ipatest.ingenia.local,O=INGENIA.LOCAL
>     -ca_audit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL
>     -ca_sign_cert_subject_name CN=Certificate
>     Authority,O=INGENIA.LOCAL -external false -clone false' returned
>     non-zero exit status 255
>
>     Configuration of CA failed
>
>     I’m including two install logs, one with dns-setup and the other
>     without it. Don’t really know what I’m doing wrong, thought maybe
>     I should allow connections to certain ports in ip tables or
>     something but have no clue really and I’m quite new to this, help
>     please..
>
>     Regards,
>
>     Remigio
>
>
>
> Hello,
>
> can you please check error logs of DS?
> /var/log/dirsrv/slapd-*/errors
>
> And please post here an error why DS restart failed.
>
> Martin
>
> -- 
> Martin Basti
indeed, log looks good.
There is some issue that IPA cannot verify DS on port 7389.

Can you answer the questions asked by Martin Kosek, please?
Martin

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150514/140b2fe8/attachment.htm>

More information about the Freeipa-users mailing list