<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 04/28/2014 11:52 AM, Rob Crittenden
wrote:<br>
</div>
<blockquote cite="mid:535E7947.6010901@redhat.com" type="cite">Bret
Wortman wrote:
<br>
<blockquote type="cite">
<br>
On 04/28/2014 11:17 AM, Rob Crittenden wrote:
<br>
<blockquote type="cite">Bret Wortman wrote:
<br>
<blockquote type="cite">So is there a recommended way to clean
it up and get it working?
<br>
</blockquote>
<br>
Re-run pkidestroy, then if the subsequent IPA install fails
closely
<br>
examine the logs to determine the reason. The problem in cases
like
<br>
this is that the first install fails and subsequent installs
mask the
<br>
original failure with this PKI re-install failure.
<br>
<br>
rob
<br>
<br>
</blockquote>
Okay, here's the log from when it starts configuring PKI:
<br>
<br>
2014-04-28T15:23:45Z DEBUG [2/22]: configuring certificate
server
<br>
instance
<br>
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration
file
<br>
(/tmp/tmpdCm6rt):
<br>
[CA]
<br>
pki_security_domain_name = IPA
<br>
pki_enable_proxy = True
<br>
pki_restart_configured_instance = False
<br>
pki_backup_keys = True
<br>
pki-backup_password = XXXXXXXX
<br>
pki_client_database_dir = /tmp/tmp-rVoTR2
<br>
pki_client_database_password = XXXXXXXX
<br>
pki_client_database_purge = False
<br>
pki_client_pkcs12_password = XXXXXXXX
<br>
pki_admin_name = admin
<br>
pki_admin_uid = admin
<br>
pki_admin_email = root@localhost
<br>
pki_admin_password = XXXXXXXX
<br>
pki_admin_nickname = ipa-ca-agent
<br>
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
<br>
pki_client_admin_cert_p12 = /root/ca-agent.p12
<br>
pki_ds_ldap_port = 389
<br>
pki_ds_password = XXXXXXXX
<br>
pki_ds_base_dn = o=ipaca
<br>
pki_ds_database = ipaca
<br>
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
<br>
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
<br>
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
<br>
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
<br>
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
<br>
pki_subsystem_nickname = subsystemCert cert-pki-ca
<br>
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
<br>
pki_ssl_server_nickname = Server-Cert cert-pki-ca
<br>
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
<br>
pki_ca_signing_nickname = caSigningCert cert-pki-ca
<br>
<br>
<br>
2014-04-28T15:23:45Z DEBUG Starting external process
<br>
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f
/tmp/tmpdCm6rt
<br>
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
<br>
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment
configuration from
<br>
/tmp/tmpdCm6rt.
<br>
Installing CA into /var/lib/pki/pki-tomcat.
<br>
Storing deployment configuration into
<br>
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
<br>
<br>
Installation failed.
<br>
<br>
<br>
2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR .......
server
<br>
failed to restart
<br>
<br>
2014-04-28T15:24:46Z CRITICAL failed to configure ca instance
Command
<br>
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero
exit
<br>
status 1
<br>
2014-04-28T15:24:46Z DEBUG File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
<br>
line 622, in run_script
<br>
return_value = main_function()
<br>
<br>
File "/usr/sbin/ipa-server-install", line 1074, in main
<br>
dm_password, subject_base=options.subject)
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
<br>
478, in configure_instance
<br>
self.start_creation(runtime=210)
<br>
<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py",
<br>
line 364, in start_creation
<br>
method()
<br>
<br>
File
<br>
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
<br>
604, in __spawn_instance
<br>
raise RUntimeError('Configuration of CA failed')
<br>
<br>
<br>
2014-04-28T15:24:46Z DEBUG The ipa-server-install command
failed,
<br>
exception: RuntimeError: Configuration of CA failed
<br>
<br>
And that's the end of the log. Nothing here looks terribly
informative
<br>
to me, and this is what the log looks like every time I look at
it.
<br>
<br>
</blockquote>
<br>
The error is different whether there is an existing PKI instance
or not.
<br>
<br>
The next set of logs to look at are in /var/log/pki. It says there
is a startup failure so I'd start with <font color="#ff0000"><b>/var/log/pki/pki-tomcat/catalina.out</b></font>
. Also interesting may be the pki-ca-spawn and debug logs found
within that directory structure.
<br>
<br>
I'd also look for SELinux errors with ausearch -m AVC -ts recent
<br>
</blockquote>
This did the trick. Something was hanging out on port 8443, though
neither lsof nor netstat would show me what it was. I rebooted the
server and then it proceeded past this without a hiccup.<br>
<br>
Thanks, Rob and everyone else for helping me navigate the logs!<br>
<br>
<br>
Bret<br>
</body>
</html>