[Freeipa-users] CA installation failed on server
Martin Basti
mbasti at redhat.com
Mon Nov 30 11:51:51 UTC 2015
On 28.11.2015 00:14, Rob Crittenden wrote:
> Martin Štefany wrote:
>> Hello,
>>
>> I remember experiencing this, but I'm not sure of solution. I think it's
>> related to apache (httpd) and his group.
>>
>> My notes for IPA installation on CentOS 7.x say:
>>
>> # groupadd -g 48 apache
>> # yum -y install ipa-server bind bind-dyndb-ldap
>> # usermod -g apache apache
>> # ipa-server-install...
>>
>> CentOS is somehow not creating group apache for apache user and then
>> assuming root which is then causing problems with apache later. Pre-
>> creating such group before installing httpd and then usermod-ing user
>> apache might solve it.
>>
>> Did you get any warnings while running:
>> # yum install -y ipa-server bind bind-dyndb-ldap ?
>>
>>
>> If possible, try installation from scratch with my notes on fresh
>> system. If not:
>>
>> # systemctl stop apache # if it runs
>> # groupadd -g 48 apache # I use 48 as apache's UID tends to be also
>> 48, or use 'groupadd -r apache' instead
>> # usermod -g apache apache
>> # ipa-server-install...
>>
> Sounds unlikely to me. If indeed it did happen you'd need to file a bug
> against Apache to create its own uid/gid, which I'm pretty certain it
> already does.
>
> In any case, dogtag doesn't run in Apache so it would be unlikely to
> blow up in the CA installer.
>
> cating the contents of a directory into one log is not at all helpful,
> especially given that you missed all the important bits in the
> subdirectories beneath it. This is just a mishmash of stuff. We need to
> see /var/log/pki/pki-tomcat/ca/debug.
>
> /var/log/ipaserver-install.log might also be useful to see though it
> probably just records in a more verbose way the fact that pkispawn failed.
>
> rob
>
Hello,
I see in log this error message:
2015-11-26 08:41:53 pkidestroy : ERROR .......
subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n',
'subsystemCert cert-pki-ca', '-p', '272326334956', '-d',
'/etc/pki/pki-tomcat/alias', '-e',
'name="/var/lib/pki/pki-tomcat"&type=CA&list=caList&host=ipa.home&sport=443&ncsport=8443&adminsport=8443&agentsport=8443&operation=remove',
'-v', '-r', '/ca/agent/ca/updateDomainXML', 'ipa.home:443']' returned
non-zero exit status 6!
It means that the CA has no been sucessfully uninstalled, and it can
cause issues during installation
PKI bug:
https://fedorahosted.org/pki/ticket/1704
Christian may have workaround (CCed)
Martin
More information about the Freeipa-users
mailing list