[Freeipa-users] Error in Installation - unable to create CA
Dmitri Pal
dpal at redhat.com
Wed May 2 19:52:02 UTC 2012
On 05/02/2012 11:34 AM, Rob Crittenden wrote:
> shabahang elmian wrote:
>> Hello,
>> I would be thankful if some one can help me to resolve the problem.
>
> We need to see /var/log/ipaserver-install.log and potentially
> /var/log/pki-ca/debug to determine what the problem is.
>
> It would appear that the CA process didn't start.
>
> Details on your versions of ipa-server and pki-ca would be helpful too.
>
> rob
>
https://bugzilla.redhat.com/show_bug.cgi?id=818123
Might be related. Please see comments there and requests for additional logs.
>>
>> Shabahang
>>
>> ------------------------------------------------------------------------
>> *From:* shabahang elmian <eshabahang at yahoo.com>
>> *To:* Rob Crittenden <rcritten at redhat.com>
>> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> *Sent:* Sunday, April 29, 2012 12:21 PM
>> *Subject:* Re: [Freeipa-users] Error in Installation - unable to
>> create CA
>>
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser,
>> pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug] Processing PKI security modules for
>> '/var/lib/pki-ca' ...
>> [2012-04-23 17:07:32] [debug] Attempting to add hardware security
>> modules to system if applicable ...
>> [2012-04-23 17:07:32] [debug] module name: lunasa lib:
>> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
>> [2012-04-23 17:07:32] [debug] module name: nfast lib:
>> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
>> [2012-04-23 17:07:32] [debug] configuring SELinux ...
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9180. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9701. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9443. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9444. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9446. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9445. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9447. Port already defined otherwise.
>> [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to
>> run semanage.
>> [2012-04-23 17:07:34] [debug] Running restorecon commands
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /usr/share/java/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /usr/share/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/lib/pki-ca)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/run/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/log/pki-ca)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /etc/pki-ca)
>> [2012-04-23 17:07:34] [debug] Installation manifest:
>> /var/lib/pki-ca/install_info
>> [2012-04-23 17:07:34] [debug] The following was performed:
>> Installed Files:
>> /etc/pki-ca/CS.cfg
>> ...
>> .
>> .
>> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
>> Removed Items:
>> /etc/pki-ca/noise
>> /etc/pki-ca/pfile
>>
>> [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart
>> pki-cad at pki-ca.service)
>> [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart
>> pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system
>> logs and 'systemctl status' for details."
>> [2012-04-23 17:07:34] [log] Configuration Wizard listening on
>> https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
>>
>> [2012-04-23 17:07:34] [log] After configuration, the server can be
>> operated by the command:
>> /bin/systemctl restart pki-cad at pki-ca.service
>> [root at ipa ~]#
>>
>> [root at ipa system]# ipa-server-install --uninstall
>>
>> This is a NON REVERSIBLE operation and will delete all data and
>> configuration!
>>
>> Are you sure you want to continue with the uninstall procedure? [no]: y
>> Shutting down all IPA services
>> Removing IPA client configuration
>> Unconfiguring ntpd
>> Unconfiguring CA directory server
>> [root at ipa system]#
>> [root at ipa system]#
>> [root at ipa system]# > /var/log/audit/audit.log
>> [root at ipa system]#
>> [root at ipa system]#
>> [root at ipa system]# ipa-server-install --setup-dns
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>> ==============================================================================
>>
>> This program will set up the FreeIPA Server.
>>
>> This includes:
>> * Configure a stand-alone CA (dogtag) for certificate management
>> * Configure the Network Time Daemon (ntpd)
>> * Create and configure an instance of Directory Server
>> * Create and configure a Kerberos Key Distribution Center (KDC)
>> * Configure Apache (httpd)
>> * Configure DNS (bind)
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>> Existing BIND configuration detected, overwrite? [no]: y
>> Enter the fully qualified domain name of the computer
>> on which you're setting up server software. Using the form
>> <hostname>.<domainname>
>> Example: master.example.com.
>>
>>
>> Server host name [ipa.mtnirancell.ir]:
>>
>> Warning: skipping DNS resolution of host ipa.mtnirancell.ir
>> The domain name has been calculated based on the host name.
>>
>> Please confirm the domain name [mtnirancell.ir]:
>>
>> The kerberos protocol requires a Realm name to be defined.
>> This is typically the domain name converted to uppercase.
>>
>> Please provide a realm name [MTNIRANCELL.IR]:
>> Certain directory server operations require an administrative user.
>> This user is referred to as the Directory Manager and has full access
>> to the Directory for system management tasks and will be added to the
>> instance of directory server created for IPA.
>> The password must be at least 8 characters long.
>>
>> Directory Manager password:
>> Password (confirm):
>>
>> The IPA server requires an administrative user, named 'admin'.
>> This user is a regular system account used for IPA server
>> administration.
>>
>> IPA admin password:
>> Password (confirm):
>>
>> Do you want to configure DNS forwarders? [yes]:
>> Enter the IP address of DNS forwarder to use, or press Enter to finish.
>> Enter IP address for a DNS forwarder:
>> No DNS forwarders configured
>> Do you want to configure the reverse zone? [yes]:
>> Please specify the reverse zone name [58.131.10.in-addr.arpa.]:
>> Using reverse zone 58.131.10.in-addr.arpa.
>>
>> The IPA Master Server will be configured with:
>> Hostname: ipa.mtnirancell.ir
>> IP address: 10.131.58.43
>> Domain name: mtnirancell.ir
>> Realm name: MTNIRANCELL.IR
>>
>> BIND DNS server will be configured to serve IPA domain with:
>> Forwarders: No forwarders
>> Reverse zone: 58.131.10.in-addr.arpa.
>>
>> Continue to configure the system with these values? [no]: y
>>
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Configuring ntpd
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server for the CA: Estimated time 30 minutes 30
>> seconds
>> [1/3]: creating directory server user
>> [2/3]: creating directory server instance
>> [3/3]: restarting directory server
>> done configuring pkids.
>> Configuring certificate server: Estimated time 33 minutes 30 seconds
>> [1/16]: creating certificate server user
>> [2/16]: configuring certificate server instance
>> ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
>> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir'
>> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_'
>> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs'
>> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
>> 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent'
>> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
>> 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir'
>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX'
>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
>> Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP
>> Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name'
>> 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR'
>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR'
>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR'
>> '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
>> Unexpected error - see ipaserver-install.log for details:
>> Configuration of CA failed
>> [root at ipa system]# cat /var/log/audit/audit.log
>> type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
>> type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
>> res=success'
>> type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
>> res=success'
>> type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
>> res=success'
>> type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
>> comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [root at ipa system]#
>>
>> shabahang
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Rob Crittenden <rcritten at redhat.com>
>> *To:* shabahang elmian <eshabahang at yahoo.com>
>> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> *Sent:* Monday, April 23, 2012 8:16 PM
>> *Subject:* Re: [Freeipa-users] Error in Installation - unable to
>> create CA
>>
>> shabahang elmian wrote:
>> > Hello,
>> > There is a problem on configuring FreeIPA.
>> > would you please help.
>> >
>> > please find following :
>> >
>> > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds
>> > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server
>> > instance
>> > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent
>> > ConfigureCA -cs_hostname ipa.mtnirancell.ir
>> <http://ipa.mtnirancell.ir> -cs_port 9445
>> > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX
>> > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin
>> > -admin_email root at localhost -admin_password XXXXXXXX -agent_name
>> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host
>> > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager
>> > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
>> > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
>> > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
>> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
>> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
>> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
>> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
>> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
>> > -external false -clone false
>> > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64
>> >
>> #######################################################################
>> > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR
>> > tokenpwd:XXXXXXXX
>> > #############################################
>> > Attempting to connect to: ipa.mtnirancell.ir:9445
>> > Exception in LoginPanel(): java.lang.NullPointerException
>> > ERROR: ConfigureCA: LoginPanel() failure
>> > ERROR: unable to create CA
>> >
>> #######################################################################
>> > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send
>> > Request:java.net.ConnectException: Connection refused
>> > java.net <http://java.net.Co>.ConnectException: Connection refused
>> > at java.net
>> <http://java.net.PlainSocketImpl.so>.PlainSocketImpl.socketConnect(Native
>> Method)
>> > at
>> > java.net
>> <http://java.net.AbstractPlainSocketImpl.do>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
>>
>> > at
>> > java.net
>> <http://java.net.AbstractPlainSocketImpl.co>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
>>
>> > at
>> >
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
>>
>> > at java.net
>> <http://java.net.SocksSocketImpl.co>.SocksSocketImpl.connect(SocksSocketImpl.java:384)
>>
>> > at java.net
>> <http://java.net.Socket.co>.Socket.connect(Socket.java:546)
>> > at java.net.Socket.connect(Socket.java:495)
>> > at java.net.Socket.<init>(Socket.java:392)
>> > at java.net.Socket.<init>(Socket.java:235)
>> > at HTTPClient.sslConnect(HTTPClient.java:326)
>> > at ConfigureCA.LoginPanel(ConfigureCA.java:244)
>> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>> > at ConfigureCA.main(ConfigureCA.java:1672)
>> > java.lang.NullPointerException
>> > at ConfigureCA.LoginPanel(ConfigureCA.java:245)
>> > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
>> > at ConfigureCA.main(ConfigureCA.java:1672)
>> >
>> > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance
>> > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR
>> > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA
>> > -domain_name IPA -admin_user admin -admin_email root at localhost
>> > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size
>> > 2048 -agent_key_type rsa -agent_cert_subject
>> > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir
>> > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
>> > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type
>> > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>> > -subsystem_name pki-cad -token_name internal
>> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
>> > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
>> > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
>> > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
>> > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
>> > -external false -clone false' returned non-zero exit status 255
>> > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed
>> > File "/usr/sbin/ipa-server-install", line 1173, in <module>
>> > rval = main()
>> >
>> > File "/usr/sbin/ipa-server-install", line 974, in main
>> > subject_base=options.subject)
>> >
>> > File
>> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> > line 537, in configure_instance
>> > self.start_creation("Configuring certificate server", 210)
>> >
>> > File
>> > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> > line 248, in start_creation
>> > method()
>> >
>> > File
>> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> > line 677, in __configure_instance
>> > raise RuntimeError('Configuration of CA failed')
>> >
>> > please note :
>> >
>> > [root at ipa ~]# uname -a
>> > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21
>> > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>> > [root at ipa ~]# cat /etc/redhat-release
>> > Fedora release 16 (Verne)
>> > [root at ipa ~]#
>>
>> It would appear that the CA silent installer (pki-silent) couldn't talk
>> to the CA. There are more logs in /var/log/pki-ca that may hold more
>> information on why.
>>
>> You might also want to look for any new AVCs in
>> /var/log/audit/audit.log.
>>
>> regards
>>
>> rob
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list