<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: <blockquote cite="mid:1374253896.4930.4.camel@localhost.localdomain" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> I'm trying to install an IPA server using an external CA. I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA. So then I go back to install using my certs: ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer I get this for output: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [<a moz-do-not-send="true" href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# tail /var/log/ipaserver-install.log File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_cert_subject_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [<a moz-do-not-send="true" href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# tail /var/log/ipaserver-install.log File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 617, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Any thoughts on what I can do to troubleshoot this? Thanks. -Kenny <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Several questions: 1) package and os version/distro? 2) what is in httpd logs? 3) what is in pki logs? The names and locations of the logs partially depend on the answer to the first question. <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>