[Pki-users] 10.0.2 CA Instllation failed on LDAP and CA chain

Ade Lee alee at redhat.com
Mon May 6 14:25:28 UTC 2013


On Sun, 2013-05-05 at 12:46 +0200, pkiadmin at nym.hush.com wrote:
> Hello list memebers,
> 
> I have been trying to get Dogtag 10.0.2 on fc18 running but 
> pkispawn concludes with Installation Failed.
> 
> Here is what I see:
> pkispawn -s CA -f /home/pkiadmin/CA.cfg 
> Loading deployment configuration from /home/pkiadmin/CA.cfg.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
> Installation failed.
> 
> The interactive pkispawn was also tried but this gives the same 
> fail results.
> 
> In /var/log/pki/pki-tomcat/ca/system I see the following:
> 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [3] [3] 
> Cannot build CA chain. Error 
> java.security.cert.CertificateException: Certificate is not a 
> PKCS#11 certificate
> 
> 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [13] [3] 
> authz instance DirAclAuthz initialization failed and skipped, 
> error=Property internaldb.ldapconn.port missing value
> 
> In /var/log/pki/pki-tomcat/catalina.out I see the above 2 errors 
> preceded by CMS WARNING: FAILURE:
> 
The errors above are benign, in that they always occur on a new
installation.

> In /etc/pki/default.cfg I put pki_ds_hostname=hostname and made 
> sure the pki_ds_port was correct. Oh yes, the remote DS389 was 
> running and accessible.
> 

OK, so /etc/pki/default.cfg is not supposed to be edited.  Instead, a
brand new file is supposed to be created with the relevant overrides.
This is because default.cfg can be overwritten in updates to pki-server.

Its hard to tell what is going on based on what you have described.
Please provide the following:

rpm -q pki-server
rpm -qa |grep pki
getenforce
cat /etc/redhat-release
latest installation log in /var/log/pki/pkispawn-*
logs in /var/log/pki/pki-tomcat

You might also want to re-do the installation with the -vvv option so
that there is much more debug output.  Make sure to pkidestroy the old
instance. 

> When I look at services there is a pki-tomcatd at pki-tomcat running 
> and I can restart it without problems. I can alo get to the "End 
> USer Services" page on 8080. None of the other ports connect.
> 
> Thanks in advance.
> 
> 
> 
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users





More information about the Pki-users mailing list