[Freeipa-users] replica install failure....
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Mar 29 19:08:50 UTC 2011
F14 IPA-2.0-rc3
===============
011-03-28 23:37:29,052 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "replica-info-fed14-64-ipam002.ipa.ac.nz.gpg" and options: {'no_forwarders': False, 'setup_pkinit': True, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'unattended': False}
2011-03-28 23:37:29,052 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-28 23:37:29,052 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:35,681 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpygiLqWipa/files.tar -d replica-info-fed14-64-ipam002.ipa.ac.nz.gpg
2011-03-28 23:37:35,682 DEBUG stdout=
2011-03-28 23:37:35,682 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg'
gpg: keyring `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
2011-03-28 23:37:35,686 DEBUG args=tar xf /tmp/tmpygiLqWipa/files.tar -C /tmp/tmpygiLqWipa
2011-03-28 23:37:35,687 DEBUG stdout=
2011-03-28 23:37:35,687 DEBUG stderr=tar: realm_info/ldappwd: time stamp 2011-03-29 11:37:36 is 43200.314994836 s in the future
tar: realm_info/http_pin.txt: time stamp 2011-03-29 11:37:35 is 43199.314835063 s in the future
tar: realm_info/cacert.p12: time stamp 2011-03-29 11:37:33 is 43197.314667199 s in the future
tar: realm_info/ca.crt: time stamp 2011-03-29 11:37:36 is 43200.31454535 s in the future
tar: realm_info/realm_info: time stamp 2011-03-29 11:37:36 is 43200.314436529 s in the future
tar: realm_info/pwdfile.txt.orig: time stamp 2011-03-29 11:37:35 is 43199.314326755 s in the future
tar: realm_info/configure.jar: time stamp 2011-03-29 11:37:36 is 43200.314210218 s in the future
tar: realm_info/httpcert.p12: time stamp 2011-03-29 11:37:36 is 43200.314100775 s in the future
tar: realm_info/dscert.p12: time stamp 2011-03-29 11:37:35 is 43199.313990749 s in the future
tar: realm_info/pwdfile.txt: time stamp 2011-03-29 11:37:35 is 43199.313887882 s in the future
tar: realm_info/kpasswd.keytab: time stamp 2011-03-29 11:37:36 is 43200.313777439 s in the future
tar: realm_info/dirsrv_pin.txt: time stamp 2011-03-29 11:37:33 is 43197.313586943 s in the future
tar: realm_info/ra.p12: time stamp 2011-03-29 11:37:36 is 43200.313470433 s in the future
tar: realm_info/preferences.html: time stamp 2011-03-29 11:37:36 is 43200.313358277 s in the future
tar: realm_info: time stamp 2011-03-29 11:37:36 is 43200.313290539 s in the future
2011-03-28 23:37:35,693 DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2011-03-28 23:37:35,693 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2011-03-28 23:37:35,705 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2011-03-28 23:37:35,743 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2011-03-28 23:37:35,743 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2011-03-28 23:37:35,744 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2011-03-28 23:37:35,752 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2011-03-28 23:37:35,755 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2011-03-28 23:37:35,757 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2011-03-28 23:37:35,762 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2011-03-28 23:37:35,763 DEBUG skipping plugin module ipalib.plugins.entitle: No module named rhsm.connection
2011-03-28 23:37:35,763 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2011-03-28 23:37:35,765 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2011-03-28 23:37:35,769 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2011-03-28 23:37:35,770 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2011-03-28 23:37:35,771 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2011-03-28 23:37:35,778 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2011-03-28 23:37:35,779 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
2011-03-28 23:37:35,780 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
2011-03-28 23:37:35,781 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
2011-03-28 23:37:35,782 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
2011-03-28 23:37:35,784 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
2011-03-28 23:37:35,784 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
2011-03-28 23:37:35,787 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
2011-03-28 23:37:35,788 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
2011-03-28 23:37:35,790 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
2011-03-28 23:37:35,790 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
2011-03-28 23:37:35,791 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
2011-03-28 23:37:35,792 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
2011-03-28 23:37:35,812 DEBUG args=klist -V
2011-03-28 23:37:35,812 DEBUG stdout=Kerberos 5 version 1.8.2
2011-03-28 23:37:35,812 DEBUG stderr=
2011-03-28 23:37:35,815 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2011-03-28 23:37:35,816 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2011-03-28 23:37:35,818 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2011-03-28 23:37:35,818 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2011-03-28 23:37:35,820 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2011-03-28 23:37:35,821 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2011-03-28 23:37:35,828 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2011-03-28 23:37:35,834 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2011-03-28 23:37:35,835 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py'
2011-03-28 23:37:35,835 DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipaserver/plugins'...
2011-03-28 23:37:35,835 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py'
2011-03-28 23:37:35,973 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/join.py'
2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py'
2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/rabase.py'
2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/selfsign.py'
2011-03-28 23:37:35,975 DEBUG skipping plugin module ipaserver.plugins.selfsign: selfsign is not selected as RA plugin, it is dogtag
2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/xmlserver.py'
2011-03-28 23:37:36,104 DEBUG Mounting ipaserver.rpcserver.xmlserver() at 'xml'
2011-03-28 23:37:36,111 DEBUG Mounting ipaserver.rpcserver.jsonserver() at 'json'
2011-03-28 23:37:36,704 DEBUG args=/usr/sbin/groupadd -r dirsrv
2011-03-28 23:37:36,705 DEBUG stdout=
2011-03-28 23:37:36,705 DEBUG stderr=
2011-03-28 23:37:36,705 DEBUG done adding DS group
2011-03-28 23:37:36,705 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,010 DEBUG Created connection context.ldap2_38247312
2011-03-28 23:37:37,014 DEBUG Destroyed connection context.ldap2_38247312
2011-03-28 23:37:37,015 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,015 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2011-03-28 23:37:37,015 DEBUG Configuring ntpd
2011-03-28 23:37:37,015 DEBUG [1/4]: stopping ntpd
2011-03-28 23:37:37,270 DEBUG args=/sbin/service ntpd status
2011-03-28 23:37:37,271 DEBUG stdout=ntpd is stopped
2011-03-28 23:37:37,271 DEBUG stderr=
2011-03-28 23:37:37,271 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,355 DEBUG args=/sbin/service ntpd stop
2011-03-28 23:37:37,355 DEBUG stdout=Shutting down ntpd: [FAILED]
2011-03-28 23:37:37,356 DEBUG stderr=
2011-03-28 23:37:37,356 DEBUG duration: 0 seconds
2011-03-28 23:37:37,357 DEBUG [2/4]: writing configuration
2011-03-28 23:37:37,357 DEBUG Backing up system configuration file '/etc/ntp.conf'
2011-03-28 23:37:37,366 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2011-03-28 23:37:37,368 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd'
2011-03-28 23:37:37,371 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2011-03-28 23:37:37,376 DEBUG duration: 0 seconds
2011-03-28 23:37:37,376 DEBUG [3/4]: configuring ntpd to start on boot
2011-03-28 23:37:37,388 DEBUG args=/sbin/chkconfig --list ntpd
2011-03-28 23:37:37,388 DEBUG stdout=ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
2011-03-28 23:37:37,388 DEBUG stderr=
2011-03-28 23:37:37,388 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,556 DEBUG args=/sbin/chkconfig ntpd on
2011-03-28 23:37:37,556 DEBUG stdout=
2011-03-28 23:37:37,556 DEBUG stderr=
2011-03-28 23:37:37,556 DEBUG duration: 0 seconds
2011-03-28 23:37:37,556 DEBUG [4/4]: starting ntpd
2011-03-28 23:37:37,644 DEBUG args=/sbin/service ntpd start
2011-03-28 23:37:37,644 DEBUG stdout=Starting ntpd: [ OK ]
2011-03-28 23:37:37,644 DEBUG stderr=
2011-03-28 23:37:37,644 DEBUG duration: 0 seconds
2011-03-28 23:37:37,644 DEBUG done configuring ntpd.
2011-03-28 23:37:37,646 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,647 DEBUG Configuring directory server for the CA: Estimated time 30 seconds
2011-03-28 23:37:37,647 DEBUG [1/3]: creating directory server user
2011-03-28 23:37:37,647 DEBUG adding ds user pkisrv
2011-03-28 23:37:37,908 DEBUG args=/usr/sbin/useradd -g dirsrv -c PKI DS System User -d /var/lib/dirsrv -s /sbin/nologin -M -r pkisrv
2011-03-28 23:37:37,908 DEBUG stdout=
2011-03-28 23:37:37,908 DEBUG stderr=
2011-03-28 23:37:37,908 DEBUG done adding user
2011-03-28 23:37:37,909 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,909 DEBUG duration: 0 seconds
2011-03-28 23:37:37,909 DEBUG [2/3]: creating directory server instance
2011-03-28 23:37:37,970 DEBUG args=/sbin/service dirsrv status
2011-03-28 23:37:37,970 DEBUG stdout= *** Error: no dirsrv instances configured
2011-03-28 23:37:37,970 DEBUG stderr=
2011-03-28 23:37:37,970 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,971 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:37:37,972 DEBUG writing inf template
2011-03-28 23:37:37,973 DEBUG
[General]
FullMachineName= fed14-64-ipam002.ipa.ac.nz
SuiteSpotUserID= pkisrv
SuiteSpotGroup= dirsrv
ServerRoot= /usr/lib64/dirsrv
[slapd]
ServerPort= 7389
ServerIdentifier= PKI-IPA
Suffix= dc=ipa,dc=ac,dc=nz
RootDN= cn=Directory Manager
2011-03-28 23:37:37,973 DEBUG calling setup-ds.pl
2011-03-28 23:38:06,982 DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpO4GgGA
2011-03-28 23:38:06,982 DEBUG stdout=[11/03/28:23:38:06] - [Setup] Info Your new DS instance 'PKI-IPA' was successfully created.
Your new DS instance 'PKI-IPA' was successfully created.
[11/03/28:23:38:06] - [Setup] Success Exiting . . .
Log file is '-'
Exiting . . .
Log file is '-'
2011-03-28 23:38:06,983 DEBUG stderr=
2011-03-28 23:38:06,983 DEBUG completed creating ds instance
2011-03-28 23:38:06,985 DEBUG duration: 29 seconds
2011-03-28 23:38:06,985 DEBUG [3/3]: restarting directory server
2011-03-28 23:38:09,175 DEBUG args=/sbin/service dirsrv restart PKI-IPA
2011-03-28 23:38:09,175 DEBUG stdout=Shutting down dirsrv:
PKI-IPA...[ OK ]
Starting dirsrv:
PKI-IPA...[ OK ]
2011-03-28 23:38:09,175 DEBUG stderr=
2011-03-28 23:38:09,204 DEBUG args=/sbin/service dirsrv status
2011-03-28 23:38:09,204 DEBUG stdout=dirsrv PKI-IPA (pid 3443) is running...
2011-03-28 23:38:09,204 DEBUG stderr=
2011-03-28 23:38:09,204 DEBUG duration: 2 seconds
2011-03-28 23:38:09,204 DEBUG done configuring pkids.
2011-03-28 23:38:09,205 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2011-03-28 23:38:09,228 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -N -f /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt
2011-03-28 23:38:09,228 DEBUG stdout=
2011-03-28 23:38:09,228 DEBUG stderr=
2011-03-28 23:38:09,260 DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-PKI-IPA/ -i /tmp/tmpygiLqWipa/realm_info/dscert.p12 -k /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt -w /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt
2011-03-28 23:38:09,260 DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2011-03-28 23:38:09,260 DEBUG stderr=
2011-03-28 23:38:09,274 DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-PKI-IPA/ -l /tmp/tmpygiLqWipa/realm_info/dscert.p12 -k /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt -w /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt
2011-03-28 23:38:09,274 DEBUG stdout=Key(shrouded):
Friendly Name: Server-Cert
Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Parameters:
Salt:
6f:b2:a9:a2:8c:2d:1e:b5:67:c0:34:0f:f4:77:82:ba
Iteration Count: 1 (0x1)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA.AC.NZ"
Validity:
Not Before: Mon Mar 28 21:17:04 2011
Not After : Thu Mar 28 21:17:04 2019
Subject: "CN=Certificate Authority,O=IPA.AC.NZ"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c0:f0:09:ce:7c:57:8f:1c:a4:a3:13:68:ef:68:5d:19:
d8:c8:af:e2:66:5e:83:c8:37:e1:48:fa:bd:f6:5b:76:
29:b5:f9:0b:af:53:c3:5a:1c:95:b4:2d:87:8b:0b:b7:
81:42:a4:97:5c:c1:cf:63:84:cc:a4:f7:53:bb:41:ea:
de:4d:05:cf:fa:5c:c4:52:a7:40:0a:b2:80:99:2e:f5:
e5:a9:43:84:22:d0:14:e5:31:9c:47:b8:77:e2:1c:d4:
20:cd:7a:b4:05:0e:48:ad:7d:d4:1f:99:ab:3e:8b:8c:
a3:a9:be:45:a9:f9:35:bd:f9:c9:ea:e1:80:c8:7e:fc:
b2:48:0a:24:88:13:74:e4:d1:4f:90:72:26:c8:03:9c:
e7:9c:d2:62:2a:43:be:2b:6a:1d:06:dd:bb:3d:c7:b5:
e1:81:1d:0d:61:0f:0e:8f:64:a9:42:1b:9b:6f:aa:3a:
ae:00:24:1c:88:b8:6b:b6:f1:38:0e:4b:91:18:85:c6:
89:06:80:b6:b5:8f:4b:21:63:b5:a2:b7:5d:ab:96:72:
3b:ca:01:14:52:d8:89:b7:47:43:2f:50:b1:7a:82:3e:
00:61:ab:71:fa:dc:ce:31:fb:3b:b5:3c:25:3f:27:25:
e4:a3:1d:8a:cc:6d:e7:d1:7c:aa:7a:33:0e:76:5b:d3
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b:
df:a2:56:60
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
Name: Certificate Subject Key ID
Data:
7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b:
df:a2:56:60
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://fed14-64-ipam001.ipa.ac.nz:9180/ca/ocsp"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
00:0c:96:c4:56:dd:ce:f2:10:65:13:cf:9f:5e:41:f7:
f7:1f:8c:0e:59:2b:4b:64:30:34:c0:00:ef:9b:a1:b5:
81:27:21:83:b0:f4:e1:93:51:13:e0:23:5f:bd:b8:69:
e2:dd:b7:13:bd:be:94:3c:ca:ba:83:c5:85:58:09:5d:
76:9f:b5:cc:69:19:dc:c4:48:42:1b:51:42:55:f8:d2:
7f:72:9c:4e:05:0d:36:af:22:54:52:40:42:0d:7a:ec:
32:1b:b6:c9:1d:6f:51:d1:59:9f:ea:1b:d0:1a:58:6c:
30:58:91:44:31:fd:3f:f2:d7:8b:e0:16:97:69:ce:76:
81:69:45:a0:16:1e:5f:45:ec:a7:7f:49:a6:d7:ca:70:
ce:73:4b:88:a1:d7:56:96:47:1e:2d:84:d4:72:18:15:
8f:5f:ca:6b:f8:6f:ae:ce:b9:13:95:17:94:8d:37:f3:
56:2b:b8:71:f1:ef:a6:b9:af:1f:05:30:47:f0:e9:9d:
b5:3c:de:ae:28:f6:ab:ff:65:41:58:61:68:aa:19:a3:
d2:f8:58:41:d4:48:1b:ec:e4:92:86:1b:cb:29:7b:15:
54:85:49:d8:4a:34:47:f8:47:2c:cf:23:3d:ce:e4:82:
bc:5b:72:0d:17:0c:e6:06:ac:a1:ea:c2:a7:47:35:50
Fingerprint (MD5):
2E:2E:41:C9:59:69:56:88:B7:A2:F7:53:0B:01:E2:A9
Fingerprint (SHA1):
52:78:11:D9:CA:23:E7:1A:F6:0C:80:DC:73:F3:D2:B9:59:89:3D:49
Friendly Name: IPA.AC.NZ IPA CA
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA.AC.NZ"
Validity:
Not Before: Mon Mar 28 22:37:34 2011
Not After : Sat Sep 24 22:37:34 2011
Subject: "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
bf:bb:6f:be:3b:33:3c:e3:25:f3:d6:f5:1b:1c:49:bb:
fe:84:ed:ab:60:2b:6f:4d:4a:07:c7:d5:5c:65:25:66:
99:43:1d:4c:75:32:ee:af:c5:a8:bb:f3:4b:b3:16:de:
3b:27:c7:10:06:48:fe:b4:e6:2b:25:fb:fe:66:8e:81:
3f:cf:2e:02:ae:47:ec:0c:f0:11:fc:f2:aa:4a:e9:88:
7c:de:8c:36:4f:68:35:a0:03:0d:93:a3:d6:0a:c6:52:
b9:10:fd:ce:40:c9:81:fb:27:3f:56:7b:b3:fa:75:45:
90:33:68:d4:49:40:27:88:27:11:3b:26:9f:7d:38:7f:
c0:80:1b:ba:a9:76:f1:37:91:7b:25:9e:30:07:c1:e1:
5a:5a:3c:90:57:33:33:fa:ac:54:d0:d5:bf:a5:cd:f2:
a9:25:a4:d1:8b:ef:8e:36:c6:4c:2f:80:52:2f:8b:bb:
22:54:f7:9e:69:32:30:01:bd:fd:27:e9:d1:4b:32:bb:
7c:61:ec:cb:45:7c:e7:79:60:e4:ac:86:da:29:1f:5c:
a8:db:2f:29:8b:9f:cd:9e:0b:85:ac:e2:fd:16:51:4e:
fc:51:5a:c2:b4:f1:ed:83:99:09:00:1f:39:d5:ef:6b:
32:04:2c:c7:10:4c:5f:c5:f7:9d:5d:1b:81:12:1c:f1
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b:
df:a2:56:60
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://fed14-64-ipam001.ipa.ac.nz:9180/ca/ocsp"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
99:cb:70:c3:66:85:6f:50:6d:09:90:0a:d7:1f:60:6e:
5d:a8:d6:85:f6:31:29:c4:9e:ec:62:53:f4:dc:84:ae:
11:56:d9:c5:4d:93:17:e0:04:ad:83:75:f5:b2:86:15:
98:ba:31:07:c5:82:91:44:73:46:36:91:c5:f6:ea:62:
74:23:4d:b7:15:25:1e:33:30:bc:8a:2b:71:86:c6:92:
4d:35:25:03:4e:e5:48:03:5f:5f:92:95:9b:35:77:17:
f6:b1:e7:1f:46:9e:71:1d:3b:73:8a:12:fc:4e:c3:db:
b2:da:d6:8a:a4:9a:7f:2b:1f:9d:a6:8e:99:1f:74:13:
3e:91:54:10:d6:d4:e5:e7:6b:0d:db:e8:11:1e:f1:5d:
4d:59:3f:79:d8:bc:e9:71:08:00:0e:62:95:0c:23:ce:
cb:c4:56:ea:e6:47:e0:a6:f4:d4:a2:1b:ba:9d:75:8a:
6a:20:cc:c4:ba:0a:8b:db:c3:a4:24:16:61:4a:a8:9a:
fc:aa:cf:68:5e:37:39:55:f3:61:b0:85:34:e2:e8:94:
c0:7b:4d:80:9e:4a:32:c9:d6:71:61:3b:f6:cb:45:a0:
0a:04:71:52:4e:03:80:0a:7c:51:6c:44:11:f0:6d:1b:
10:af:ec:89:8e:7a:8f:33:cb:95:82:30:2b:25:ff:b2
Fingerprint (MD5):
CC:3A:23:F9:54:13:75:38:0E:00:47:60:96:1A:B1:BE
Fingerprint (SHA1):
44:26:56:83:C3:50:11:EE:E5:3B:E9:00:D9:F9:57:30:D9:82:83:08
Friendly Name: Server-Cert
2011-03-28 23:38:09,275 DEBUG stderr=
2011-03-28 23:38:09,282 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -M -n IPA.AC.NZ IPA CA -t CT,CT,
2011-03-28 23:38:09,283 DEBUG stdout=
2011-03-28 23:38:09,283 DEBUG stderr=
2011-03-28 23:38:09,296 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L -n IPA.AC.NZ IPA CA -a
2011-03-28 23:38:09,297 DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEEu
QUMuTloxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAzMjgy
MTE3MDRaFw0xOTAzMjgyMTE3MDRaMDQxEjAQBgNVBAoTCUlQQS5BQy5OWjEeMBwG
A1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAwPAJznxXjxykoxNo72hdGdjIr+JmXoPIN+FI+r32W3YptfkL
r1PDWhyVtC2Hiwu3gUKkl1zBz2OEzKT3U7tB6t5NBc/6XMRSp0AKsoCZLvXlqUOE
ItAU5TGcR7h34hzUIM16tAUOSK191B+Zqz6LjKOpvkWp+TW9+cnq4YDIfvyySAok
iBN05NFPkHImyAOc55zSYipDvitqHQbduz3HteGBHQ1hDw6PZKlCG5tvqjquACQc
iLhrtvE4DkuRGIXGiQaAtrWPSyFjtaK3XauWcjvKARRS2Im3R0MvULF6gj4AYatx
+tzOMfs7tTwlPycl5KMdisxt59F8qnozDnZb0wIDAQABo4GwMIGtMB8GA1UdIwQY
MBaAFHviQxsSrPEWYBnYCkeKyTvfolZgMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBR74kMbEqzxFmAZ2ApHisk736JWYDBKBggrBgEF
BQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9mZWQxNC02NC1pcGFtMDAxLmlw
YS5hYy5uejo5MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAAAMlsRW3c7y
EGUTz59eQff3H4wOWStLZDA0wADvm6G1gSchg7D04ZNRE+AjX724aeLdtxO9vpQ8
yrqDxYVYCV12n7XMaRncxEhCG1FCVfjSf3KcTgUNNq8iVFJAQg167DIbtskdb1HR
WZ/qG9AaWGwwWJFEMf0/8teL4BaXac52gWlFoBYeX0Xsp39JptfKcM5zS4ih11aW
Rx4thNRyGBWPX8pr+G+uzrkTlReUjTfzViu4cfHvprmvHwUwR/DpnbU83q4o9qv/
ZUFYYWiqGaPS+FhB1Egb7OSShhvLKXsVVIVJ2Eo0R/hHLM8jPc7kgrxbcg0XDOYG
rKHqwqdHNVA=
-----END CERTIFICATE-----
2011-03-28 23:38:09,297 DEBUG stderr=
2011-03-28 23:38:09,310 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a
2011-03-28 23:38:09,311 DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEEu
QUMuTloxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAzMjgy
MjM3MzRaFw0xMTA5MjQyMjM3MzRaMDkxEjAQBgNVBAoTCUlQQS5BQy5OWjEjMCEG
A1UEAxMaZmVkMTQtNjQtaXBhbTAwMi5pcGEuYWMubnowggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC/u2++OzM84yXz1vUbHEm7/oTtq2Arb01KB8fVXGUl
ZplDHUx1Mu6vxai780uzFt47J8cQBkj+tOYrJfv+Zo6BP88uAq5H7AzwEfzyqkrp
iHzejDZPaDWgAw2To9YKxlK5EP3OQMmB+yc/Vnuz+nVFkDNo1ElAJ4gnETsmn304
f8CAG7qpdvE3kXslnjAHweFaWjyQVzMz+qxU0NW/pc3yqSWk0YvvjjbGTC+AUi+L
uyJU955pMjABvf0n6dFLMrt8YezLRXzneWDkrIbaKR9cqNsvKYufzZ4Lhazi/RZR
TvxRWsK08e2DmQkAHznV72syBCzHEExfxfedXRuBEhzxAgMBAAGjgZUwgZIwHwYD
VR0jBBgwFoAUe+JDGxKs8RZgGdgKR4rJO9+iVmAwSgYIKwYBBQUHAQEEPjA8MDoG
CCsGAQUFBzABhi5odHRwOi8vZmVkMTQtNjQtaXBhbTAwMS5pcGEuYWMubno6OTE4
MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATAN
BgkqhkiG9w0BAQsFAAOCAQEAmctww2aFb1BtCZAK1x9gbl2o1oX2MSnEnuxiU/Tc
hK4RVtnFTZMX4AStg3X1soYVmLoxB8WCkURzRjaRxfbqYnQjTbcVJR4zMLyKK3GG
xpJNNSUDTuVIA19fkpWbNXcX9rHnH0aecR07c4oS/E7D27La1oqkmn8rH52mjpkf
dBM+kVQQ1tTl52sN2+gRHvFdTVk/edi86XEIAA5ilQwjzsvEVurmR+Cm9NSiG7qd
dYpqIMzEugqL28OkJBZhSqia/KrPaF43OVXzYbCFNOLolMB7TYCeSjLJ1nFhO/bL
RaAKBHFSTgOACnxRbEQR8G0bEK/siY56jzPLlYIwKyX/sg==
-----END CERTIFICATE-----
2011-03-28 23:38:09,311 DEBUG stderr=
2011-03-28 23:38:11,534 DEBUG args=/sbin/service dirsrv restart PKI-IPA
2011-03-28 23:38:11,534 DEBUG stdout=Shutting down dirsrv:
PKI-IPA...[ OK ]
Starting dirsrv:
PKI-IPA...[ OK ]
2011-03-28 23:38:11,535 DEBUG stderr=
2011-03-28 23:38:11,564 DEBUG args=/sbin/service dirsrv status
2011-03-28 23:38:11,564 DEBUG stdout=dirsrv PKI-IPA (pid 3575) is running...
2011-03-28 23:38:11,564 DEBUG stderr=
2011-03-28 23:38:11,564 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:38:11,565 DEBUG Configuring certificate server: Estimated time 6 minutes
2011-03-28 23:38:11,565 DEBUG [1/11]: creating certificate server user
2011-03-28 23:38:11,565 DEBUG adding ca user pkiuser
2011-03-28 23:38:11,929 DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser
2011-03-28 23:38:11,929 DEBUG stdout=
2011-03-28 23:38:11,929 DEBUG stderr=
2011-03-28 23:38:11,929 DEBUG done adding user
2011-03-28 23:38:11,930 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2011-03-28 23:38:11,930 DEBUG duration: 0 seconds
2011-03-28 23:38:11,930 DEBUG [2/11]: creating pki-ca instance
2011-03-28 23:38:43,871 DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca
2011-03-28 23:38:43,871 DEBUG stdout=PKI instance creation Utility ...
Capturing installation information in /var/log/pki-ca-install.log
PKI instance creation completed ...
Installation information recorded in /var/log/pki-ca-install.log.
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.
Please start the configuration by accessing:
https://fed14-64-ipam002.ipa.ac.nz:9445/ca/admin/console/config/login?pin=nnARxLnIWvR9Aw1RYjRn
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-03-28 23:38:43,871 DEBUG stderr=
2011-03-28 23:38:43,872 DEBUG duration: 31 seconds
2011-03-28 23:38:43,872 DEBUG [3/11]: restarting certificate server
2011-03-28 23:38:47,115 DEBUG args=/sbin/service pki-cad restart
2011-03-28 23:38:47,116 DEBUG stdout=Stopping pki-ca: [FAILED]
Starting pki-ca: [ OK ]
'pki-ca' must still be CONFIGURED!
(see /var/log/pki-ca-install.log)
2011-03-28 23:38:47,116 DEBUG stderr=
2011-03-28 23:38:47,132 DEBUG duration: 3 seconds
2011-03-28 23:38:47,132 DEBUG [4/11]: configuring certificate server instance
2011-03-28 23:39:05,352 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444
2011-03-28 23:39:05,352 DEBUG stdout=libpath=/usr/lib64
#######################################################################
CRYPTO INIT WITH CERTDB:/tmp/tmp-r_2iHV
tokenpwd:XXXXXXXX
#############################################
Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445
in TestCertApprovalCallback.approve()
Peer cert details:
subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
serial: 0
item 1 reason=-8156 depth=1
cert details:
subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
serial: 0
item 2 reason=-8172 depth=1
cert details:
subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12
serial: 0
importing certificate.
Connected.
Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/login?pin=nnARxLnIWvR9Aw1RYjRn&xml=true
RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Set-Cookie: JSESSIONID=E0D1A31548F4A63493FB7CC74DE9E873; Path=/ca; Secure
RESPONSE HEADER: Location: https://fed14-64-ipam002.ipa.ac.nz:9445/ca/admin/console/config/wizard
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Content-Length: 0
RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:49 GMT
RESPONSE HEADER: Connection: keep-alive
xml returned:
cookie list: JSESSIONID=E0D1A31548F4A63493FB7CC74DE9E873; Path=/ca; Secure
#############################################
Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445
Connected.
Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:49 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/modulepanel.vm</panel>
<res/>
<showApplyButton/>
<status>display</status>
<subpanelno>2</subpanelno>
<sms>
<Vector>
<Module>
<CommonName>NSS Internal PKCS #11 Module</CommonName>
<UserFriendlyName>NSS Internal PKCS #11 Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
<Module>
<CommonName>nfast</CommonName>
<UserFriendlyName>nCipher's nFast Token Hardware Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
<Module>
<CommonName>lunasa</CommonName>
<UserFriendlyName>SafeNet's LunaSA Token Hardware Module</UserFriendlyName>
<ImagePath>../img/clearpixel.gif</ImagePath>
</Module>
</Vector>
</sms>
<errorString/>
<size>19</size>
<title>Key Store</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<p>1</p>
<name>CA Setup Wizard</name>
<oms>
<Vector/>
</oms>
<defTok>Internal Key Storage Token</defTok>
<req/>
<panelname>module</panelname>
</response>
Sleeping for 5 secs..
#############################################
Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445
Connected.
Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=1&op=next&xml=true&choice=Internal+Key+Storage+Token
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:55 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<machineName>fed14-64-ipam002.ipa.ac.nz</machineName>
<panel>admin/console/config/securitydomainpanel.vm</panel>
<res/>
<showApplyButton/>
<initCommand>/sbin/service pki-cad</initCommand>
<sdomainName>IpaAc Domain</sdomainName>
<sdomainURL>https://fed14-64-ipam002.ipa.ac.nz:9445</sdomainURL>
<http_ee_port>9180</http_ee_port>
<systemname>CA</systemname>
<title>Security Domain</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<sdomainAdminURL>https://fed14-64-ipam002.ipa.ac.nz:9445</sdomainAdminURL>
<check_existingdomain/>
<name>CA Setup Wizard</name>
<https_ee_port>9444</https_ee_port>
<https_admin_port>9445</https_admin_port>
<panelname>securitydomain</panelname>
<https_agent_port>9443</https_agent_port>
<cstype>CA</cstype>
<instanceId><security_domain_instance_name></instanceId>
<errorString/>
<size>19</size>
<p>3</p>
<check_newdomain>checked</check_newdomain>
<req/>
<wizardname>CA Setup Wizard</wizardname>
</response>
Sleeping for 5 secs..
#############################################
Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445
Connected.
Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Ffed14-64-ipam001.ipa.ac.nz%3A9445&sdomainName=&choice=existingdomain&p=3&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:39:00 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<response>
<panel>admin/console/config/securitydomainpanel.vm</panel>
<https_agent_port>9443</https_agent_port>
<machineName>fed14-64-ipam002.ipa.ac.nz</machineName>
<res/>
<cstype>CA</cstype>
<initCommand>/sbin/service pki-cad</initCommand>
<instanceId><security_domain_instance_name></instanceId>
<sdomainName/>
<sdomainURL>https://fed14-64-ipam002.ipa.ac.nz:9445</sdomainURL>
<http_ee_port>9180</http_ee_port>
<errorString>Illegal SSL Admin HTTPS url value for the security domain</errorString>
<size>19</size>
<title>Security Domain</title>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<sdomainAdminURL>https://fed14-64-ipam002.ipa.ac.nz:9445</sdomainAdminURL>
<p>3</p>
<name>CA Setup Wizard</name>
<check_existingdomain>checked</check_existingdomain>
<https_ee_port>9444</https_ee_port>
<check_newdomain/>
<https_admin_port>9445</https_admin_port>
<req/>
<panelname>securitydomain</panelname>
</response>
ERROR: Tag=sdomainNamehas no values
sdomainname=null
Sleeping for 5 secs..
#############################################
Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445
Connected.
Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true
RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Location: https://:-1/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Ffed14-64-ipam002.ipa.ac.nz%3A9445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA
RESPONSE HEADER: Content-Type: text/html;charset=UTF-8
RESPONSE HEADER: Content-Length: 0
RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:39:05 GMT
RESPONSE HEADER: Connection: keep-alive
#############################################
Attempting to connect to: fed14-64-ipam001.ipa.ac.nz:9445
#############################################
Attempting to connect to: fed14-64-ipam001.ipa.ac.nz:9445
Exception in SecurityDomainLoginPanel(): java.lang.NullPointerException
ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure
ERROR: unable to create CA
#######################################################################
2011-03-28 23:39:05,352 DEBUG stderr=Exception: Unable to Send Request:java.net.NoRouteToHostException: No route to host
java.net.NoRouteToHostException: No route to host
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at java.net.Socket.<init>(Socket.java:392)
at java.net.Socket.<init>(Socket.java:235)
at HTTPClient.sslConnect(HTTPClient.java:326)
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:359)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
Exception: Unable to Send Request:java.net.NoRouteToHostException: No route to host
java.net.NoRouteToHostException: No route to host
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at java.net.Socket.<init>(Socket.java:392)
at java.net.Socket.<init>(Socket.java:235)
at HTTPClient.sslConnect(HTTPClient.java:326)
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:364)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
java.lang.NullPointerException
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:369)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
2011-03-28 23:39:05,352 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255
2011-03-28 23:39:05,388 DEBUG Configuration of CA failed
File "/usr/sbin/ipa-replica-install", line 551, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 490, in main
CA = install_ca(config)
File "/usr/sbin/ipa-replica-install", line 190, in install_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 514, in configure_instance
self.start_creation("Configuring certificate server", 360)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in start_creation
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 653, in __configure_instance
raise RuntimeError('Configuration of CA failed')
============
regards
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 30 March 2011 2:37 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] replica install failure....
Steven Jones wrote:
> Just tried to make a replica and the install failed with,
>
> [4/11]: configuring certificate server instance
> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA
A!
> udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255
> creation of replica failed: Configuration of CA failed
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> [root at fed14-64-ipam002 jonesst1]#
You'll need to take a look in /var/log/ipareplica-install.log for more
details on why the install failed.
What distro is this, F-15?
rob
More information about the Freeipa-users
mailing list