Tomcat is definitely not running and there's no log in /var/log/pki-ca. SELinux is disabled and not running. The same RPMs are installed on both my functioning and nonfunctioning system, at least as far as "# rpm -qa | grep tomcat | sort" revealed.<div> <br></div><div>I also followed Martin's suggestion to clean out the CA configuration, but that command seems to indicate that there wasn't any existing configuration:</div><div><br></div><div><div><font face="courier new, monospace">[root@fs1 ~]# /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force</font></div> <div><font face="courier new, monospace">PKI instance Deletion Utility ...</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">PKI instance Deletion Utility cleaning up instance ...</font></div> <div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">No security domain defined.</font></div><div><font face="courier new, monospace">If this is an unconfigured instance, then that is OK.</font></div> <div><font face="courier new, monospace">Otherwise, manually delete the entry from the security domain master.</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Removing selinux contexts</font></div> <div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">[root@fs1 ~]#</font></div></div><div><div><br></div><div><br><br> <div class="gmail_quote">On Wed, Oct 17, 2012 at 3:17 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im">Bret Wortman wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Now it appears that whatever is supposed to be running on port 9445<br> (looks like mindarray-ca) isn't running, and I'm not sure how it gets<br> started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA<br> test box I first set up, and it's running on the test box but not the<br> new one. Where should I look next?<br> </blockquote> <br></div> See if there are any SELinux denials: ausearch -m AVC<br> <br> It looks like tomcat failed to start. The logs are in /var/log/pki-ca.<br> <br> rob<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> <br> On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman<br></div><div class="im"> <<a href="mailto:bret.wortman@damascusgrp.com" target="_blank">bret.wortman@damascusgrp.com</a> <mailto:<a href="mailto:bret.wortman@damascusgrp.com" target="_blank">bret.wortman@<u></u>damascusgrp.com</a>>> wrote:<br> <br> Spot on. It was a fresh install of F17 and I neglected to # yum<br> update first. I've done so, rebooted, and am trying again with<br> better results.<br> <br> <br> On Wed, Oct 17, 2012 at 1:45 PM, John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a><br></div><div class="im"> <mailto:<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>>> wrote:<br> <br> On 10/17/2012 12:40 PM, Bret Wortman wrote:<br> <br> I recently tried installing freeipa on a new server, but<br> ipa-server-install had problems around this point:<br> <br> Configuring certificate server: Estimated time 3 minutes 30<br> seconds<br> [1/18]: creating certificate server user<br> [2/18]: creating pki-ca instance<br> [3/18]: configuring certificate server instance<br> ipa : CRITICAL failed to configure ca instance Command<br> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname<br> <a href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>> -cs_port 9445<br> <br> -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd XXXXXXXX<br> -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user<br> admin<br> -admin_email root@localhost -admin_XXXXXXXX XXXXXXXX -agent_name<br> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa<br> -agent_cert_subject CN=ipa-ca-agent,O=<a href="http://WEDGEOFLI.ME" target="_blank">WEDGEOFLI.ME</a><br></div> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><div class="im"><br> -ldap_host <a href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>> -ldap_port 7389<br> <br> -bind_dn cn=Directory Manager -bind_XXXXXXXX XXXXXXXX<br> -base_dn o=ipaca<br> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm<br> SHA256withRSA<br> -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad<br> -token_name<br></div> internal -ca_subsystem_cert_subject___<u></u>name CN=CA<br> Subsystem,O=<a href="http://WEDGEOFLI.ME" target="_blank">WEDGEOFLI.ME</a> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><div class="im"><br> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>> -ca_ocsp_cert_subject_name CN=OCSP<br> Subsystem,O=<a href="http://WEDGEOFLI.ME" target="_blank">WEDGEOFLI.ME</a> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><br> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><br> -ca_server_cert_subject_name CN=<a href="http://fs1.wedgeofli.me" target="_blank">fs1.wedgeofli.me</a><br> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>><br></div> <<a href="http://fs1.wedgeofli.me" target="_blank">http://fs1.wedgeofli.me</a>>,O=<a href="http://WE__DGEOFLI.ME" target="_blank">WE<u></u>__DGEOFLI.ME</a><br> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><br> -ca_audit_signing_cert___<u></u>subject_name CN=CA<br> Audit,O=<a href="http://WEDGEOFLI.ME" target="_blank">WEDGEOFLI.ME</a> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><div class="im"><br> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>> -ca_sign_cert_subject_name CN=Certificate<br> Authority,O=<a href="http://WEDGEOFLI.ME" target="_blank">WEDGEOFLI.ME</a> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>><br> <<a href="http://WEDGEOFLI.ME" target="_blank">http://WEDGEOFLI.ME</a>> -external false -clone<br> <br> false' returned non-zero exit status 255<br> Unexpected error - see ipaserver-install.log for details:<br> Configuration of CA failed<br> [root@fs1 ~]#<br> <br> The logfile revealed the following stack trace:<br> <br></div> ##############################<u></u>__###############<div class="im"><br> Attempting to connect to: <a href="http://fs1.wedgeofli.me:9445" target="_blank">fs1.wedgeofli.me:9445</a><br> <<a href="http://fs1.wedgeofli.me:9445" target="_blank">http://fs1.wedgeofli.me:9445</a>><br> <<a href="http://fs1.wedgeofli.me:9445" target="_blank">http://fs1.wedgeofli.me:9445</a>><br> <br> Exception in LoginPanel(): java.lang.NullPointerException<br> ERROR: ConfigureCA: LoginPanel() failure<br> ERROR: unable to create CA<br> <br></div> ##############################<u></u>__############################<u></u>##__###########<div class="im"><br> <br> 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send<br></div> Request:<a href="http://java.net" target="_blank">java.net</a> <<a href="http://java.net" target="_blank">http://java.net</a>>.__<u></u>ConnectException:<div class="im"><br> Connection refused<br> java.net.ConnectException: Connection refused<br></div> at java.net.PlainSocketImpl.__<u></u>socketConnect(Native Method)<br> at<br> <a href="http://java.net" target="_blank">java.net</a><br> <<a href="http://java.net" target="_blank">http://java.net</a>>.__<u></u>AbstractPlainSocketImpl.__<u></u>doConnect(__<u></u>AbstractPlainSocketImpl.java:_<u></u>_339)<br> at<br> <a href="http://java.net" target="_blank">java.net</a><br> <<a href="http://java.net" target="_blank">http://java.net</a>>.__<u></u>AbstractPlainSocketImpl.__<u></u>connectToAddress(__<u></u>AbstractPlainSocketImpl.java:_<u></u>_200)<br> at<br> <a href="http://java.net" target="_blank">java.net</a><br> <<a href="http://java.net" target="_blank">http://java.net</a>>.__<u></u>AbstractPlainSocketImpl.__<u></u>connect(__<u></u>AbstractPlainSocketImpl.java:_<u></u>_182)<br> at<br> java.net.SocksSocketImpl.__<u></u>connect(SocksSocketImpl.java:_<u></u>_391)<br> at java.net.Socket.connect(__<u></u>Socket.java:579)<br> at java.net.Socket.connect(__<u></u>Socket.java:528)<br> at java.net.Socket.<init>(Socket.<u></u>__java:425)<br> at java.net.Socket.<init>(Socket.<u></u>__java:241)<br> at HTTPClient.sslConnect(__<u></u>HTTPClient.java:326)<br> at ConfigureCA.LoginPanel(__<u></u>ConfigureCA.java:244)<br> at ConfigureCA.__<u></u>ConfigureCAInstance(__<u></u>ConfigureCA.java:1157)<br> at ConfigureCA.main(ConfigureCA._<u></u>_java:1672)<br> java.lang.NullPointerException<br> at ConfigureCA.LoginPanel(__<u></u>ConfigureCA.java:245)<br> at ConfigureCA.__<u></u>ConfigureCAInstance(__<u></u>ConfigureCA.java:1157)<br> at ConfigureCA.main(ConfigureCA._<u></u>_java:1672)<div class="im"><br> <br> Now I seem to be stuck. I tried uninstalling the<br> freeipa-server package<br> with # yum remove freeipa-server and then reinstalled it the<br> same way,<br> but ipa-server-install won't run no matter what I attempt.<br> <br> Any thoughts? I'm pretty new to IPA.<br> <br> <br> There is a good chance this is due to a version mismatch between<br> the IPA packages and the dogtag packages. You didn't mention<br> which OS you're using nor the versions of the relevant packages,<br> that would have been helpful. In any event I would make sure all<br> your packages are up to date.<br> <br> <br> --<br></div> John Dennis <<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a> <mailto:<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>>><div class="im"><br> <br> <br> Looking to carve out IT costs?<br></div> <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/<u></u>carveoutcosts/</a>><div class="im"> <br> <br> <br> <br> <br> --<br> Bret Wortman<br> The Damascus Group<br> Fairfax, VA<br> <a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br> <a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br> <br> <br> <br> <br> --<br> Bret Wortman<br> The Damascus Group<br> Fairfax, VA<br> <a href="http://bretwortman.com/" target="_blank">http://bretwortman.com/</a><br> <a href="http://twitter.com/BretWortman" target="_blank">http://twitter.com/BretWortman</a><br> <br> <br> <br></div><div class="im"> ______________________________<u></u>_________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br> <br> </div></blockquote> <br> </blockquote></div><br> </div></div>