[Freeipa-users] freeipa server install fails on fedora 20

Rob Crittenden rcritten at redhat.com
Tue Sep 9 14:41:07 UTC 2014 

Olga Kornievskaia wrote:
> 
> 
> On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
> 
>     On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
>>     Thank you very much for your quick reply.
>>
>>     It is a brand new fedora 20 vm.
> 
>     OK good.
>     Can you send or share the ipa server installation log?
> 
> 
> Can you please suggest how I can do that? My original post was rejected
> by the administrator of this list because I've included the install log
> that compressed was  over 5M.

If you have a web/ftp server available you can put it there for download.

I'd look at the catalina.* logs in /var/log/pki/pki-tomcat and debug in
the ca subdirectory. Those are more likely to hold startup failures.

journalctl may hold information on why it didn't start too.

Incidentally, the second problem is likely related to the first. The
installation didn't succeed so the system state is indeterminate.

rob

> 
> 
>     Are you using a cert from AD and trying to chain to an AD CA?
> 
> 
> I'm not specifying any cert options on the install command (i.e. I'm
> using the default certs supplied with the install).
> 
>  
> 
> 
> 
> 
>>
>>     There is nothing that's running on port 443. 
>>
>>     catalina.out is empty 
>>     system file is attached and reports that certificate is not in
>>     pkcs11 format.
>>     pki-ca-spaw.XX.log does not appear to report errors  (also attached)
>>
>>     Please let me know if I can enable any other debugging into that
>>     might be useful in figuring this out.
>>
>>     Thank you.
>>
>>
>>     On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <dpal at redhat.com
>>     <mailto:dpal at redhat.com>> wrote:
>>
>>         On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
>>>         Can somebody help with the following problem(s) I’ve
>>>         encountered while trying to install the freeipa server?
>>>
>>>         Problem #1:
>>>         On fedora 20, I have:
>>>         1. using yum install acquired the free-ipa-server package.
>>>         2. ran ipa-server-install 
>>>         — that has failed with “CA did not start in 300s”
>>>
>>>         One thing that’s noticeable in the logs (the snippet is
>>>         included below) is that request for request
>>>         'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>>>         <https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27> 
>>>
>>>         has 443 as port as for before all the requests for 8443
>>>         (e.g.., same (manual) request on port 8443 succeeds). Seems
>>>         like an install script somewhere has the wrong port ?
>>
>>         443 is the right port.
>>         Do you have something already running on the same box on that
>>         port?
>>         That might prevent things from installing and running.
>>
>>         Please try on a clean machine or VM.
>>         Also more logs will be helpful.
>>         Please see this [1] on how to troubleshoot.
>>
>>         The second problem is most likely an artifact of the
>>         incomplete install.
>>
>>         [1] http://www.freeipa.org/page/Troubleshooting
>>
>>>
>>>         2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
>>>
>>>         2014-09-08T19:21:08Z DEBUG request
>>>         'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
>>>
>>>         2014-09-08T19:21:08Z DEBUG request body ''
>>>
>>>         2014-09-08T19:21:08Z DEBUG request status 503
>>>
>>>         2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
>>>         Unavailable'
>>>
>>>         2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08
>>>         Sep 2014 19:21:08 GMT', 'content-length': '299',
>>>         'content-type': 'text/html; charset=iso-8859-1',
>>>         'connection': 'close', 'server': 'Apache/2.4.10 (Fedora)
>>>         mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
>>>         mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request
>>>         body '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
>>>         2.0//EN">\n<html><head>\n<title>503 Service
>>>         Unavailable</title>\n</head><body>\n<h1>Service
>>>         Unavailable</h1>\n<p>The server is temporarily unable to
>>>         service your\nrequest due to maintenance downtime or
>>>         capacity\nproblems. Please try again
>>>         later.</p>\n</body></html>\n'
>>>
>>>         2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable
>>>
>>>
>>>         Problem #2:
>>>         The next problem I’m encountering and doesn’t seem to be
>>>         related to the CA setup is on the next step of “kinit admin”.
>>>         It fails with “generic pre authentication failure while
>>>         getting initial credentials"
>>>
>>>         stracing kinit show that it tried to open file
>>>         “/var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET
>>>         <http://kdcinfo.gateway.2wire.net/>”) and fails with “no such
>>>         file” error.  “pubconf” dir only has empty “krb5.include.d”.
>>>
>>>         I don’t know if this failure is due to the fact that the
>>>         setup didn’t run all the way and some configuration is
>>>         missing or this is a separate issue .
>>>
>>>         Are these bugs that need to be filled with bugzilla or am I
>>>         doing something incorrectly?
>>>
>>>         Any help would be appreciated. 
>>>
>>>         Thank you.
>>>
>>>
>>
>>
>>         -- 
>>         Thank you,
>>         Dmitri Pal
>>
>>         Sr. Engineering Manager IdM portfolio
>>         Red Hat, Inc.
>>
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         Go To http://freeipa.org for more info on the project
>>
>>
> 
> 
>     -- 
>     Thank you,
>     Dmitri Pal
> 
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
> 
> 
> 
>

More information about the Freeipa-users mailing list