[Freeipa-users] Setup of freeipa 4.2.3 failed

Martin Babinsky mbabinsk at redhat.com
Fri Jan 8 12:25:03 UTC 2016 

On 01/08/2016 01:06 PM, Markus Roth wrote:
> Hi all,
>
> I tried to install freeipa server (freeipa-server.armv7hl
>   4.2.3-1.1.fc23), but the installation failed.
>
> -----------------------------------------------------
> Configuring NTP daemon (ntpd)
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>    [1/43]: creating directory server user
>    [2/43]: creating directory server instance
>    [3/43]: adding default schema
>    [4/43]: enabling memberof plugin
>    [5/43]: enabling winsync plugin
>    [6/43]: configuring replication version plugin
>    [7/43]: enabling IPA enrollment plugin
>    [8/43]: enabling ldapi
>    [9/43]: configuring uniqueness plugin
>    [10/43]: configuring uuid plugin
>    [11/43]: configuring modrdn plugin
>    [12/43]: configuring DNS plugin
>    [13/43]: enabling entryUSN plugin
>    [14/43]: configuring lockout plugin
>    [15/43]: creating indices
>    [16/43]: enabling referential integrity plugin
>    [17/43]: configuring certmap.conf
>    [18/43]: configure autobind for root
>    [19/43]: configure new location for managed entries
>    [20/43]: configure dirsrv ccache
>    [21/43]: enable SASL mapping fallback
>    [22/43]: restarting directory server
>    [23/43]: adding default layout
>    [24/43]: adding delegation layout
>    [25/43]: creating container for managed entries
>    [26/43]: configuring user private groups
>    [27/43]: configuring netgroups from hostgroups
>    [28/43]: creating default Sudo bind user
>    [29/43]: creating default Auto Member layout
>    [30/43]: adding range check plugin
>    [31/43]: creating default HBAC rule allow_all
>    [32/43]: creating default CA ACL rule
>    [33/43]: adding entries for topology management
>    [34/43]: initializing group membership
>    [35/43]: adding master entry
>    [36/43]: initializing domain level
>    [37/43]: configuring Posix uid/gid generation
>    [38/43]: adding replication acis
>    [39/43]: enabling compatibility plugin
>    [40/43]: activating sidgen plugin
>    [41/43]: activating extdom plugin
>    [42/43]: tuning directory server
>    [43/43]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> 30 seconds
>    [1/25]: creating certificate server user
>    [2/25]: configuring certificate server instance
>    [3/25]: stopping certificate server instance to update CS.cfg
>    [4/25]: backing up CS.cfg
>    [5/25]: disabling nonces
>    [6/25]: set up CRL publishing
>    [7/25]: enable PKIX certificate path discovery and validation
>    [8/25]: starting certificate server instance
>    [9/25]: creating RA agent certificate database
>    [10/25]: importing CA chain to RA certificate database
>    [11/25]: fixing RA database permissions
>    [12/25]: setting up signing cert profile
>    [13/25]: setting audit signing renewal to 2 years
>    [14/25]: restarting certificate server
>    [15/25]: requesting RA certificate from CA
>    [16/25]: issuing RA agent certificate
>    [17/25]: adding RA agent as a trusted user
>    [18/25]: authorizing RA to modify profiles
>    [19/25]: configure certmonger for renewals
>    [20/25]: configure certificate renewals
>    [21/25]: configure RA certificate renewal
>    [22/25]: configure Server-Cert certificate renewal
>    [23/25]: Configure HTTP to proxy connections
>    [24/25]: restarting certificate server
>    [25/25]: Importing IPA certificate profiles
> Done configuring certificate server (pki-tomcatd).
> Configuring directory server (dirsrv). Estimated time: 10 seconds
>    [1/3]: configuring ssl for ds instance
>    [error] RuntimeError: Certificate issuance failed
> ipa.ipapython.install.cli.install_tool(Server): ERROR    Certificate
> issuance failed
>
> -----------------------------------------------
>
> The last messages in the log file (/var/log/ipaserver-install.log):
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 637, in __enable_ssl
>      self.nickname, self.fqdn, cadb)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 337, in create_server_cert
>      cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 419, in issue_server_cert
>      raise RuntimeError("Certificate issuance failed")
>
> 2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
> exception: RuntimeError: Certificate issuance failed
> 2016-01-08T09:33:47Z ERROR Certificate issuance failed
>
> any ideas about this error?
>
> Markus
>
>

Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I 
can not be sure without seeing installation log 
(/var/log/ipaserver-install.log).

As a workaround, you can try to re-run the installation in verbose mode 
using '-v' option and see if it succeeds. Be prepared for a lot of 
garbage spouted on the output, though.

-- 
Martin^3 Babinsky

More information about the Freeipa-users mailing list