[Freeipa-users] Configuration of CA failed

Fri May 15 07:55:54 UTC 2015

On 05/14/2015 01:02 PM, Martin Kosek wrote:
> On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote:
>> Hello,
>>
>> I've been put in charge of implementing a solution that uses LDAP and kerberos authentication. At first thought I should use openLDAP and Kerberos but found freeIPA and looks really cool, however, when trying to install I keep getting this error about configuration of CA:
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Configuring NTP daemon (ntpd)
>>    [1/4]: stopping ntpd
>>    [2/4]: writing configuration
>>    [3/4]: configuring ntpd to start on boot
>>    [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30 seconds
>>    [1/3]: creating directory server user
>>    [2/3]: creating directory server instance
>>    [3/3]: restarting directory server
>> ipa         : CRITICAL Failed to restart the directory server. See the installation log for details.
>> Done configuring directory server for the CA (pkids).
>> Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
>>    [1/20]: creating certificate server user
>>    [2/20]: configuring certificate server instance
>> ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 -client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL -ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.!
 L!
>   OCAL -ca_a
> udit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL -ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external false -clone false' returned non-zero exit status 255
>> Configuration of CA failed
>>
>> I'm including two install logs, one with dns-setup and the other without it. Don't really know what I'm doing wrong, thought maybe I should allow connections to certain ports in ip tables or something but have no clue really and I'm quite new to this, help please..
>>
>> Regards,
>>
>> Remigio
>
> Hello,
>
> What platform are you using (Fedora? CentOS? RHEL?) and what version of FreeIPA
> are you using?

We still have not received answer for that part, though it is obvious the 
platform will be something RHEL-6.x derived.

>
> Also, I following error in the log
> java.net.ConnectException: Connection refused
> So it seems some port is occupied. Is your port 8443 occupied? Maybe by running
> httpd daemon before the installation?
>
> Martin
>

Looking at the dirsrv log that Remigio sent me privately, it does not look that 
8443 is to blame.

It is, however, really strange that ipaserver-install.log reports that DS 
restart fails with following error, even though DS says it is listening on that 
port:

2015-05-14T09:28:49Z CRITICAL Failed to restart the directory server. See the 
installation log for details.

Could it be maybe a SELinux based problem? You can check for AVCs with

# ausearch -m avc -ts today

Final suggestion: this does not solve the root cause, but I would really 
suggest doing the installation on RHEL/CentOS 7.1 as it contains FreeIPA 4.1 
which is much better than the old FreeIPA 3.0 present in RHEL-6.x. This is our 
general recommendation for new deployments anyway.

Martin