[Pki-users] 10.0.2 CA Instllation failed on LDAP and CA chain
Ade Lee
alee at redhat.com
Mon May 6 14:25:28 UTC 2013
On Sun, 2013-05-05 at 12:46 +0200, pkiadmin at nym.hush.com wrote:
> Hello list memebers,
>
> I have been trying to get Dogtag 10.0.2 on fc18 running but
> pkispawn concludes with Installation Failed.
>
> Here is what I see:
> pkispawn -s CA -f /home/pkiadmin/CA.cfg
> Loading deployment configuration from /home/pkiadmin/CA.cfg.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
> tomcat/ca/deployment.cfg.
> Installation failed.
>
> The interactive pkispawn was also tried but this gives the same
> fail results.
>
> In /var/log/pki/pki-tomcat/ca/system I see the following:
> 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [3] [3]
> Cannot build CA chain. Error
> java.security.cert.CertificateException: Certificate is not a
> PKCS#11 certificate
>
> 6650.localhost-startStop-1 - [05/May/2013:10:33:53 CEST] [13] [3]
> authz instance DirAclAuthz initialization failed and skipped,
> error=Property internaldb.ldapconn.port missing value
>
> In /var/log/pki/pki-tomcat/catalina.out I see the above 2 errors
> preceded by CMS WARNING: FAILURE:
>
The errors above are benign, in that they always occur on a new
installation.
> In /etc/pki/default.cfg I put pki_ds_hostname=hostname and made
> sure the pki_ds_port was correct. Oh yes, the remote DS389 was
> running and accessible.
>
OK, so /etc/pki/default.cfg is not supposed to be edited. Instead, a
brand new file is supposed to be created with the relevant overrides.
This is because default.cfg can be overwritten in updates to pki-server.
Its hard to tell what is going on based on what you have described.
Please provide the following:
rpm -q pki-server
rpm -qa |grep pki
getenforce
cat /etc/redhat-release
latest installation log in /var/log/pki/pkispawn-*
logs in /var/log/pki/pki-tomcat
You might also want to re-do the installation with the -vvv option so
that there is much more debug output. Make sure to pkidestroy the old
instance.
> When I look at services there is a pki-tomcatd at pki-tomcat running
> and I can restart it without problems. I can alo get to the "End
> USer Services" page on 8080. None of the other ports connect.
>
> Thanks in advance.
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list