[Freeipa-users] Installation failed at configuring CA

Matthew Davis matthew at familycampground.org
Thu Sep 15 20:02:32 UTC 2011 

So here's the steps I took to reproduce this (which I've done a few
times now to make sure I didn't botch something up)

- fresh install of F15
- fully updated from the main repos
- install freeipa-server using the updates-testing repo
- set SELinux to permissive (due to previous conversations about
selinux stopping the ldap server from restarting)
- ran ipa-server-install

It dies at this stage:

Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI
-client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK
-domain_name IPA -admin_user admin -admin_email root at localhost
-admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size
2048 -agent_key_type rsa -agent_cert_subject
"CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port
7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX'
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX'
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM"
-ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM"
-ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM"
-ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM"
-external false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed

Attached is the last bit of the install log.

-- 
Matthew Davis
-------------- next part --------------
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Thu, 15 Sep 2011 19:55:08 GMT
RESPONSE HEADER:  Connection: close
ERROR: unable to parse xml
ERROR XML = ame>Key Pairs</Name></Panel><Panel><Id>subjectname</Id><Name>Subject Names</Name></Panel><Panel><Id>certrequest</Id><Name>Requests and Certificates</Name></Panel><Panel><Id>backupkeys</Id><Name>Export Keys and Certificates</Name></Panel><Panel><Id>savepk12</Id><Name>Save Keys and Certificates</Name></Panel><Panel><Id>importcachain</Id><Name>Import CA's Certificate Chain</Name></Panel><Panel><Id>admin</Id><Name>Administrator</Name></Panel><Panel><Id>importadmincert</Id><Name>Import Administrator's Certificate</Name></Panel><Panel><Id>done</Id><Name>Done</Name></Panel></Vector></panels><p>17</p><name>CA Setup Wizard</name><import>true</import><pkcs7>MIIHMwYJKoZIhvcNAQcCoIIHJDCCByACAQExADAPBgkqhkiG9w0BBwGgAgQAoIIHBDCCA3EwggJZoAMCAQICAQYwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDlaFw0xMzA5MDQxOTU1MDlaMC0xFDASBgNVBAoTC0lOTVlWQUMuQ09NMRUwEwYDVQQDEwxpcGEtY2EtYWdlbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt6S6FDiTJ/o32dXnrmidRS/aSC/FYTjY+hvMfhADO9Fr/vn3hid6ndV3oaDZYrPZi9vgocRCp4N16+wb1Vb3c4l37eTe8f0nwUfi/kwNkoFS9VxiJXxVeTLNbfIm3IVzy1lc0LmsqEV53Gi/G0RBTQlkN59FFsyJfyd5zez31Mf7BhpV9C4Vn/o8sKL+m2N7Ni7ZGU8csfXC8pVoDR4UhxgMdoLYP96G2yjVNvTA+F0xk5iGvr/5zB2zlRm8UL2DHSnX65OOWvSE44n9jOvfb9x03CuHTl1XFcJI5T2Y/WUobky5Rvmv/7uAbs+Ur0Zd3Xkc4w3dQbb614fNcW87xAgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLmlubXl2YWMuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAB+xT1uJ6k9OixhjYn6zQD1aJBLQ2/RR2zWssMdrmkP7DT0+GAUF7Y0G9pdEYpXS34raNz/lAqSGW0NnWKZxyLRVR47QZqW9MiRCe+0L64tGzRtj2sjsE/a09cf8MhwliIeWn0nHb/bSDHifdWY44qnYJydtm54XYR2Vom33pvN2FnofZRjz2i9cre/UuPyzcaCSR9SjEg4P1JdYAG8iHZ7/5SvLy67e7AR233m4wcT91wrAruDg3/JqYcpRtgxa3rm7bxObDHrCYUxHj3Z/k81F1uv5xl3b0jCrip5Vcc48c7df6gS1rt5YaBYjkcRAS3kXlLgnvCCwzPd3ggydndzCCA4swggJzoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDRaFw0xOTA5MTUxOTU1MDRaMDYxFDASBgNVBAoTC0lOTVlWQUMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m53R30h9YexZHG+z1yZpmM50qafPRyU73LP+EBJjDxOcDrBZUbSPXdCYyYU7b4n2bz4uDDfGjqP9rPwJZ96VJjqxHXnklWvrUU0fjrF0L5H5hBlk8zaMx//jLKDNfGTHeL510r2JUUaVp/Gqg8arzPkMWRqJOJ2rQnES9K5hSec3SNdnZ3NhyN8gZpjkkJb+bZGQyknb9tl5C7q/iCCDHyUF/hrVeo+4qO7PbV/lp4ZugujBU6K43+a94cspLm2aiEZXqKQonFjJw+dywMYcQgZRcmYtGQHos3jyNtHs60C1yxZ/KWB5UQyl4pbwicGArfSIUaQ96a5gmnGG6H53AgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLJT63UKWzrDHnhte5orjs4215+3MD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS5pbm15dmFjLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCqzTYygHnGR5jZj0q7za69cCobCucJIYyIksuYQ+9YMOxegTE1Ie9MS9poJAHFrAuNor/cNl+GAbvtKtxgApkB8oM+2edITaY6Hci5XgleyD/+CQfmRSfB+X9SZGO32gHNYpE2CthJZzYDI6K6VNAmp7LkT/ksbdMwkKb3uovI2S5sUDOHCC/s2YyoE4dv/LuGDBxQf5DZpSM4oosxbw6K28fZ91g7C9IFa1F0p4QpwBGvs/WoX6yglOBznWucg6PgBeG7Rn72FgR3F/gqs2KnIALOA3/WctJB8AaYS3dBwMMfqZzHAZjqq2FeiNFUX1yJI7rKprLyFY8238taMqNzMQA=</pkcs7><req></req><panelname>importadmincert</panelname> 
</response>

ERROR: Tag=updateStatushas no values
Error in AdminCertReqPanel(): updateStatus value is null
ERROR: ConfigureCA: AdminCertReqPanel() failure
ERROR: unable to create CA

#######################################################################

2011-09-15 15:55:09,542 DEBUG stderr=[Fatal Error] :20:136: The entity name must immediately follow the '&' in the entity reference.
org.xml.sax.SAXParseException; lineNumber: 20; columnNumber: 136; The entity name must immediately follow the '&' in the entity reference.
	at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
	at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
	at ParseXML.parse(ParseXML.java:43)
	at ConfigureCA.getStatus(ConfigureCA.java:205)
	at ConfigureCA.checkStatus(ConfigureCA.java:221)
	at ConfigureCA.checkStatus(ConfigureCA.java:216)
	at ConfigureCA.AdminCertReqPanel(ConfigureCA.java:1029)
	at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1309)
	at ConfigureCA.main(ConfigureCA.java:1672)

2011-09-15 15:55:09,542 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" -external false -clone false' returned non-zero exit status 255
2011-09-15 15:55:09,559 DEBUG Configuration of CA failed
  File "/usr/sbin/ipa-server-install", line 1081, in <module>
    sys.exit(main())

  File "/usr/sbin/ipa-server-install", line 883, in main
    subject_base=options.subject)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 276, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 684, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

More information about the Freeipa-users mailing list