[Freeipa-users] Installation failed at configuring CA

Rob Crittenden rcritten at redhat.com
Thu Sep 15 20:10:55 UTC 2011 

Matthew Davis wrote:
> So here's the steps I took to reproduce this (which I've done a few
> times now to make sure I didn't botch something up)
>
> - fresh install of F15
> - fully updated from the main repos
> - install freeipa-server using the updates-testing repo
> - set SELinux to permissive (due to previous conversations about
> selinux stopping the ldap server from restarting)
> - ran ipa-server-install
>
> It dies at this stage:
>
> Configuring certificate server: Estimated time 3 minutes 30 seconds
>    [1/17]: creating certificate server user
>    [2/17]: creating pki-ca instance
>    [3/17]: configuring certificate server instance
> root        : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI
> -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK
> -domain_name IPA -admin_user admin -admin_email root at localhost
> -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size
> 2048 -agent_key_type rsa -agent_cert_subject
> "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port
> 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX'
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX'
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM"
> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM"
> -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM"
> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM"
> -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM"
> -external false -clone false' returned non-zero exit status 255
> Unexpected error - see ipaserver-install.log for details:
>   Configuration of CA failed
>
> Attached is the last bit of the install log.

Are you using a Directory Manager password with special characters in 
it? The password ends up getting passed through the shell and some 
things that require escaping aren't escaped by either us, dogtag or 
both. We're investigating that now.

rob

More information about the Freeipa-users mailing list