[Freeipa-users] replica install seems to hang forever when "--setup-ca" is enabled - any advice?

Thu Mar 16 00:34:22 UTC 2017

On Wed, Mar 15, 2017 at 06:32:42PM -0400, Chris Dagdigian wrote:
> 
> Any tips for diving into this a bit more to troubleshoot?
> 
> For the 1st time I'm setting up an ipa-server 4.4 replica with CA features
> enabled but the replica install seems to hang forever here:
> 
> ...
> ...
> ...
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
> 
> < no output after this >
> 
> 
> The replica-install.log file ends here:
> 
> ...
> ...
> ...
> 2017-03-15T22:16:05Z DEBUG Starting external process
> 2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active
> pki-tomcatd at pki-tomcat.service
> 2017-03-15T22:16:05Z DEBUG Process finished, return code=0
> 2017-03-15T22:16:05Z DEBUG stdout=active
> 
> 2017-03-15T22:16:05Z DEBUG stderr=
> 2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
> 2017-03-15T22:16:06Z DEBUG request POST
> http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus
> 2017-03-15T22:16:06Z DEBUG request body ''
> 
> 
> 
> 
> I've confirmed that SELINUX is disabled, there is no firewall and the AWS
> Security Groups are allowing TCP:8080 and TCP:8443 to the replica instance.
> The systemctl command also verifies that
> pki-tomcatd at pki-tomcat.service is "active" as well.
> 
> 
> Any tips for debugging further?
> 
Could you please provide the /var/log/pki/pki-tomcat/ca/debug log
file?

Thanks,
Fraser