On 13.05.2018 13:04, Adam Reece wrote: > Package: freeipa-server > Version: 4.6.3-1 > Severity: important > > > > -- System Information: > Debian Release: 9.4 > APT prefers stable > APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages freeipa-server depends on: > ii 389-ds-base 1.3.7.10-1+b1 > ii acl 2.2.52-3+b1 > ii apache2 2.4.25-3+deb9u4 > ii certmonger 0.79.5-2 > ii custodia 0.5.0-3 > ii fonts-font-awesome 4.7.0~dfsg-3 > ii fonts-open-sans 1.11-1 > ii freeipa-admintools 4.6.3-1 > ii freeipa-client 4.6.3-1 > ii freeipa-common 4.6.3-1 > ii gssproxy 0.8.0-1 > ii krb5-admin-server 1.16-2 > ii krb5-kdc 1.16-2 > ii krb5-kdc-ldap 1.16-2 > ii krb5-otp 1.16-2 > ii krb5-pkinit 1.16-2 > ii ldap-utils 2.4.46+dfsg-5 > ii libapache2-mod-auth-gssapi 1.6.0-1 > ii libapache2-mod-lookup-identity 1.0.0-1 > ii libapache2-mod-nss 1.0.14-1+b1 > ii libapache2-mod-wsgi 4.5.17-1+b1 > ii libc6 2.27-3 > ii libcomerr2 1.44.1-2 > ii libjs-dojo-core 1.11.0+dfsg-1 > ii libjs-jquery 3.2.1-1 > ii libk5crypto3 1.16-2 > ii libkrad0 1.16-2 > ii libkrb5-3 1.16-2 > ii libldap-2.4-2 2.4.46+dfsg-5 > ii libnspr4 2:4.19-1 > ii libnss3 2:3.36.1-1 > ii libnss3-tools 2:3.36.1-1 > ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1 > ii libssl1.1 1.1.0f-3+deb9u2 > ii libsss-nss-idmap0 1.16.1-1+b1 > ii libtalloc2 2.1.10-2 > ii libtevent0 0.9.34-1 > ii libunistring2 0.9.8-1 > ii libuuid1 2.29.2-1+deb9u1 > ii libverto1 0.2.4-2.1 > ii ntp 1:4.2.8p11+dfsg-1 > ii oddjob 0.34.3-4 > ii p11-kit 0.23.10-2 > ii pki-ca 10.5.5-1 > ii pki-kra 10.5.5-1 > ii python 2.7.13-2 > ii python-dateutil 2.6.1-1 > ii python-gssapi 1.4.1-1 > ii python-ipaserver 4.6.3-1 > ii python-ldap 3.0.0-1 > ii python-systemd 234-2 > ii samba-libs 2:4.7.4+dfsg-2 > ii slapi-nis 0.56.1-1 > ii softhsm2 2.4.0-0.1 > ii systemd-sysv 238-4 > > Versions of packages freeipa-server recommends: > ii freeipa-server-dns 4.6.3-1 > > freeipa-server suggests no packages. > > -- Configuration Files: > /etc/default/ipa-dnskeysyncd changed: > SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf > > > -- no debconf information > The server installation process will fail when a certificate is requested > from the CA with error CA_UNREACHABLE. > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/28]: configuring certificate server instance > [2/28]: exporting Dogtag certificate store pin > [3/28]: stopping certificate server instance to update CS.cfg > [4/28]: backing up CS.cfg > [5/28]: disabling nonces > [6/28]: set up CRL publishing > [7/28]: enable PKIX certificate path discovery and validation > [8/28]: starting certificate server instance > [9/28]: configure certmonger for renewals > [10/28]: requesting RA certificate from CA > [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) > ipapython.admintool: ERROR Certificate issuance failed > (CA_UNREACHABLE) > ipapython.admintool: ERROR The ipa-server-install command failed. > See /var/log/ipaserver-install.log for more information
You'd need nss-pem (ITP: #888820), server setup won't work without it. -- t