[Freeipa-users] Setup of freeipa 4.2.3 failed
Rob Crittenden
rcritten at redhat.com
Sat Jan 9 22:41:38 UTC 2016
Markus Roth wrote:
> Am Freitag, den 08.01.2016, 13:25 +0100 schrieb Martin Babinsky:
>> On 01/08/2016 01:06 PM, Markus Roth wrote:
>>> Hi all,
>>>
>>> I tried to install freeipa server (freeipa-server.armv7hl
>>> 4.2.3-1.1.fc23), but the installation failed.
>>>
>>> -----------------------------------------------------
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>> [1/43]: creating directory server user
>>> [2/43]: creating directory server instance
>>> [3/43]: adding default schema
>>> [4/43]: enabling memberof plugin
>>> [5/43]: enabling winsync plugin
>>> [6/43]: configuring replication version plugin
>>> [7/43]: enabling IPA enrollment plugin
>>> [8/43]: enabling ldapi
>>> [9/43]: configuring uniqueness plugin
>>> [10/43]: configuring uuid plugin
>>> [11/43]: configuring modrdn plugin
>>> [12/43]: configuring DNS plugin
>>> [13/43]: enabling entryUSN plugin
>>> [14/43]: configuring lockout plugin
>>> [15/43]: creating indices
>>> [16/43]: enabling referential integrity plugin
>>> [17/43]: configuring certmap.conf
>>> [18/43]: configure autobind for root
>>> [19/43]: configure new location for managed entries
>>> [20/43]: configure dirsrv ccache
>>> [21/43]: enable SASL mapping fallback
>>> [22/43]: restarting directory server
>>> [23/43]: adding default layout
>>> [24/43]: adding delegation layout
>>> [25/43]: creating container for managed entries
>>> [26/43]: configuring user private groups
>>> [27/43]: configuring netgroups from hostgroups
>>> [28/43]: creating default Sudo bind user
>>> [29/43]: creating default Auto Member layout
>>> [30/43]: adding range check plugin
>>> [31/43]: creating default HBAC rule allow_all
>>> [32/43]: creating default CA ACL rule
>>> [33/43]: adding entries for topology management
>>> [34/43]: initializing group membership
>>> [35/43]: adding master entry
>>> [36/43]: initializing domain level
>>> [37/43]: configuring Posix uid/gid generation
>>> [38/43]: adding replication acis
>>> [39/43]: enabling compatibility plugin
>>> [40/43]: activating sidgen plugin
>>> [41/43]: activating extdom plugin
>>> [42/43]: tuning directory server
>>> [43/43]: configuring directory to start on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring certificate server (pki-tomcatd). Estimated time: 3
>>> minutes
>>> 30 seconds
>>> [1/25]: creating certificate server user
>>> [2/25]: configuring certificate server instance
>>> [3/25]: stopping certificate server instance to update CS.cfg
>>> [4/25]: backing up CS.cfg
>>> [5/25]: disabling nonces
>>> [6/25]: set up CRL publishing
>>> [7/25]: enable PKIX certificate path discovery and validation
>>> [8/25]: starting certificate server instance
>>> [9/25]: creating RA agent certificate database
>>> [10/25]: importing CA chain to RA certificate database
>>> [11/25]: fixing RA database permissions
>>> [12/25]: setting up signing cert profile
>>> [13/25]: setting audit signing renewal to 2 years
>>> [14/25]: restarting certificate server
>>> [15/25]: requesting RA certificate from CA
>>> [16/25]: issuing RA agent certificate
>>> [17/25]: adding RA agent as a trusted user
>>> [18/25]: authorizing RA to modify profiles
>>> [19/25]: configure certmonger for renewals
>>> [20/25]: configure certificate renewals
>>> [21/25]: configure RA certificate renewal
>>> [22/25]: configure Server-Cert certificate renewal
>>> [23/25]: Configure HTTP to proxy connections
>>> [24/25]: restarting certificate server
>>> [25/25]: Importing IPA certificate profiles
>>> Done configuring certificate server (pki-tomcatd).
>>> Configuring directory server (dirsrv). Estimated time: 10 seconds
>>> [1/3]: configuring ssl for ds instance
>>> [error] RuntimeError: Certificate issuance failed
>>> ipa.ipapython.install.cli.install_tool(Server):
>>> ERROR Certificate
>>> issuance failed
>>>
>>> -----------------------------------------------
>>>
>>> The last messages in the log file (/var/log/ipaserver-install.log):
>>>
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>>> line
>>> 637, in __enable_ssl
>>> self.nickname, self.fqdn, cadb)
>>> File "/usr/lib/python2.7/site-
>>> packages/ipaserver/install/certs.py",
>>> line 337, in create_server_cert
>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
>>> File "/usr/lib/python2.7/site-
>>> packages/ipaserver/install/certs.py",
>>> line 419, in issue_server_cert
>>> raise RuntimeError("Certificate issuance failed")
>>>
>>> 2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
>>> exception: RuntimeError: Certificate issuance failed
>>> 2016-01-08T09:33:47Z ERROR Certificate issuance failed
>>>
>>> any ideas about this error?
>>>
>>> Markus
>>>
>>>
>>
>> Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I
>>
>> can not be sure without seeing installation log
>> (/var/log/ipaserver-install.log).
>>
>> As a workaround, you can try to re-run the installation in verbose
>> mode
>> using '-v' option and see if it succeeds. Be prepared for a lot of
>> garbage spouted on the output, though.
>>
> Hi Martin,
>
> did an setup with fedora 22 and freeipa-server.armv7hl 4.1.4-4.fc22
>
> The setup completed successfully. The only change I did was, change the
> startup_timeout variable to 900 in /usr/lib/python2.7/site-
> packages/ipalib/constants.py, because the hardware (banana pi) isn't
> fast enough for the certification generation process.
>
> So it must be an bug in freeipa-server.armv7hl 4.2.3-1.1.fc23.
/var/log/ipaserver-install.log from the failed install would be helpful.
rob
More information about the Freeipa-users
mailing list