[Freeipa-users] Setup of freeipa 4.2.3 failed
Markus Roth
markus at die5roths.de
Sat Jan 9 21:39:56 UTC 2016
Am Freitag, den 08.01.2016, 13:25 +0100 schrieb Martin Babinsky:
> On 01/08/2016 01:06 PM, Markus Roth wrote:
> > Hi all,
> >
> > I tried to install freeipa server (freeipa-server.armv7hl
> > 4.2.3-1.1.fc23), but the installation failed.
> >
> > -----------------------------------------------------
> > Configuring NTP daemon (ntpd)
> > [1/4]: stopping ntpd
> > [2/4]: writing configuration
> > [3/4]: configuring ntpd to start on boot
> > [4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > Configuring directory server (dirsrv). Estimated time: 1 minute
> > [1/43]: creating directory server user
> > [2/43]: creating directory server instance
> > [3/43]: adding default schema
> > [4/43]: enabling memberof plugin
> > [5/43]: enabling winsync plugin
> > [6/43]: configuring replication version plugin
> > [7/43]: enabling IPA enrollment plugin
> > [8/43]: enabling ldapi
> > [9/43]: configuring uniqueness plugin
> > [10/43]: configuring uuid plugin
> > [11/43]: configuring modrdn plugin
> > [12/43]: configuring DNS plugin
> > [13/43]: enabling entryUSN plugin
> > [14/43]: configuring lockout plugin
> > [15/43]: creating indices
> > [16/43]: enabling referential integrity plugin
> > [17/43]: configuring certmap.conf
> > [18/43]: configure autobind for root
> > [19/43]: configure new location for managed entries
> > [20/43]: configure dirsrv ccache
> > [21/43]: enable SASL mapping fallback
> > [22/43]: restarting directory server
> > [23/43]: adding default layout
> > [24/43]: adding delegation layout
> > [25/43]: creating container for managed entries
> > [26/43]: configuring user private groups
> > [27/43]: configuring netgroups from hostgroups
> > [28/43]: creating default Sudo bind user
> > [29/43]: creating default Auto Member layout
> > [30/43]: adding range check plugin
> > [31/43]: creating default HBAC rule allow_all
> > [32/43]: creating default CA ACL rule
> > [33/43]: adding entries for topology management
> > [34/43]: initializing group membership
> > [35/43]: adding master entry
> > [36/43]: initializing domain level
> > [37/43]: configuring Posix uid/gid generation
> > [38/43]: adding replication acis
> > [39/43]: enabling compatibility plugin
> > [40/43]: activating sidgen plugin
> > [41/43]: activating extdom plugin
> > [42/43]: tuning directory server
> > [43/43]: configuring directory to start on boot
> > Done configuring directory server (dirsrv).
> > Configuring certificate server (pki-tomcatd). Estimated time: 3
> > minutes
> > 30 seconds
> > [1/25]: creating certificate server user
> > [2/25]: configuring certificate server instance
> > [3/25]: stopping certificate server instance to update CS.cfg
> > [4/25]: backing up CS.cfg
> > [5/25]: disabling nonces
> > [6/25]: set up CRL publishing
> > [7/25]: enable PKIX certificate path discovery and validation
> > [8/25]: starting certificate server instance
> > [9/25]: creating RA agent certificate database
> > [10/25]: importing CA chain to RA certificate database
> > [11/25]: fixing RA database permissions
> > [12/25]: setting up signing cert profile
> > [13/25]: setting audit signing renewal to 2 years
> > [14/25]: restarting certificate server
> > [15/25]: requesting RA certificate from CA
> > [16/25]: issuing RA agent certificate
> > [17/25]: adding RA agent as a trusted user
> > [18/25]: authorizing RA to modify profiles
> > [19/25]: configure certmonger for renewals
> > [20/25]: configure certificate renewals
> > [21/25]: configure RA certificate renewal
> > [22/25]: configure Server-Cert certificate renewal
> > [23/25]: Configure HTTP to proxy connections
> > [24/25]: restarting certificate server
> > [25/25]: Importing IPA certificate profiles
> > Done configuring certificate server (pki-tomcatd).
> > Configuring directory server (dirsrv). Estimated time: 10 seconds
> > [1/3]: configuring ssl for ds instance
> > [error] RuntimeError: Certificate issuance failed
> > ipa.ipapython.install.cli.install_tool(Server):
> > ERROR Certificate
> > issuance failed
> >
> > -----------------------------------------------
> >
> > The last messages in the log file (/var/log/ipaserver-install.log):
> >
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> > line
> > 637, in __enable_ssl
> > self.nickname, self.fqdn, cadb)
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/certs.py",
> > line 337, in create_server_cert
> > cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/certs.py",
> > line 419, in issue_server_cert
> > raise RuntimeError("Certificate issuance failed")
> >
> > 2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed,
> > exception: RuntimeError: Certificate issuance failed
> > 2016-01-08T09:33:47Z ERROR Certificate issuance failed
> >
> > any ideas about this error?
> >
> > Markus
> >
> >
>
> Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I
>
> can not be sure without seeing installation log
> (/var/log/ipaserver-install.log).
>
> As a workaround, you can try to re-run the installation in verbose
> mode
> using '-v' option and see if it succeeds. Be prepared for a lot of
> garbage spouted on the output, though.
>
Hi Martin,
did an setup with fedora 22 and freeipa-server.armv7hl 4.1.4-4.fc22
The setup completed successfully. The only change I did was, change the
startup_timeout variable to 900 in /usr/lib/python2.7/site-
packages/ipalib/constants.py, because the hardware (banana pi) isn't
fast enough for the certification generation process.
So it must be an bug in freeipa-server.armv7hl 4.2.3-1.1.fc23.
Regards,
Markus
More information about the Freeipa-users
mailing list