<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 09/08/2014 07:29 PM, Olga
Kornievskaia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you very much for your quick reply.
<div><br>
</div>
<div>It is a brand new fedora 20 vm. <br>
</div>
</div>
</blockquote>
<br></span>
OK good.<br>
Can you send or share the ipa server installation log?<br></div></blockquote><div><br></div><div>Can you please suggest how I can do that? My original post was rejected by the administrator of this list because I've included the install log that compressed was over 5M.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<br>
Are you using a cert from AD and trying to chain to an AD CA?</div></blockquote><div><br></div><div>I'm not specifying any cert options on the install command (i.e. I'm using the default certs supplied with the install).</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><div><div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>There is nothing that's running on port 443. </div>
<div><br>
</div>
<div>catalina.out is empty </div>
<div>system file is attached and reports that certificate is not
in pkcs11 format.</div>
<div>pki-ca-spaw.XX.log does not appear to report errors (also
attached)</div>
<div><br>
</div>
<div>Please let me know if I can enable any other debugging into
that might be useful in figuring this out.</div>
<div><br>
</div>
<div>Thank you.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 8, 2014 at 5:50 PM, Dmitri
Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Can
somebody help with the following problem(s) I’ve
encountered while trying to install the freeipa
server?</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Problem
#1:</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">On
fedora 20, I have:</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">1.
using yum install acquired the free-ipa-server
package.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">2.
ran ipa-server-install </div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">—
that has failed with “CA did not start in 300s”</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">One
thing that’s noticeable in the logs (the snippet
is included below) is that request for <span style="font-family:Menlo;font-size:11px">request
'<a href="https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27" target="_blank">https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'</a> </span></div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">has
443 as port as for before all the requests for
8443 (e.g.., same (manual) request on port 8443
succeeds). Seems like an install script somewhere
has the wrong port ?</div>
</div>
</blockquote>
<br>
</span> 443 is the right port.<br>
Do you have something already running on the same box on
that port?<br>
That might prevent things from installing and running.<br>
<br>
Please try on a clean machine or VM.<br>
Also more logs will be helpful.<br>
Please see this [1] on how to troubleshoot.<br>
<br>
The second problem is most likely an artifact of the
incomplete install.<br>
<br>
[1] <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:07Z
DEBUG Waiting for CA to start...</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG request '<a href="https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus" target="_blank">https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus</a>'</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG request body ''</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG request status 503</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG request reason_phrase u'Service
Unavailable'</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG request headers {'date': 'Mon, 08 Sep 2014
19:21:08 GMT', 'content-length': '299',
'content-type': 'text/html; charset=iso-8859-1',
'connection': 'close', 'server': 'Apache/2.4.10
(Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6
NSS/3.15.3 Basic ECC mod_wsgi/3.5
Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request
body '<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML
2.0//EN">\n<html><head>\n<title>503
Service
Unavailable</title>\n</head><body>\n<h1>Service
Unavailable</h1>\n<p>The server is
temporarily unable to service your\nrequest due
to maintenance downtime or capacity\nproblems.
Please try again
later.</p>\n</body></html>\n'</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2014-09-08T19:21:08Z
DEBUG The CA status is: Service Unavailable</p>
<div><br>
</div>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Problem
#2:</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">The
next problem I’m encountering and doesn’t seem to
be related to the CA setup is on the next step of
“kinit admin”. It fails with “generic pre
authentication failure while getting initial
credentials"</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">stracing
kinit show that it tried to open file
“/var/lib/sss/pubconf/<a href="http://kdcinfo.gateway.2wire.net/" target="_blank">kdcinfo.GATEWAY.2WIRE.NET</a>”)
and fails with “no such file” error. “pubconf”
dir only has empty “krb5.include.d”.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">I
don’t know if this failure is due to the fact that
the setup didn’t run all the way and some
configuration is missing or this is a separate
issue .</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Are
these bugs that need to be filled with bugzilla or
am I doing something incorrectly?</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Any
help would be appreciated. </div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Thank
you.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</span><span><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></div></div>
</blockquote></div><br></div></div>