Dear,
with my best effort I am unable tu deploy freeipa on RockyLinux . I would like
to know if someone have already try it ?
So bellow you will find commands run from a fresh RockyLinux VM (4Gb ram)
-------------------
sed -i -e '/identity\.infra\.microbiome\.studio/d' -e '1i 51.15.228.43
identity.infra.microbiome.studio' /etc/hosts
hostnamectl set-hostname identity.infra.microbiome.studio
dnf install -y net-tools sslscan firewalld epel-release
dnf update -y
dnf module enable -y idm:DL1
dnf distro-sync -y
dnf install -y ipa-server ipa-server-dns
firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
systemctl enable firewalld && systemctl start firewalld && firewall-cmd
--add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
firewall-cmd --reload
ipa-server-install --verbose --setup-dns --ntp-pool=pool.ntp.org
--ds-password=secret1 --admin-password=secret2 --domain=infra.microbiome.studio
--realm=INFRA.MICROBIOME.STUDIO --ip-address=51.15.228.43
-------------------
This should be enough to get freeipa, but ipa-server-install command exit with
a time out error after 60 sec with following message:
-------------------
The ipa-server-install command failed, exception: RuntimeError: CA
configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
more information
-------------------
The corresponding log file do not give more clear reason than a timeout....
it seems that from a vanilla RockyLinux with SeLinux pki do not works well see
output:
-------------------
systemctl status [email protected]
● [email protected] - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled;
vendor preset: disabled)
Active: active (running) since Thu 2021-09-09 15:01:00 UTC; 4min 29s ago
Process: 72379 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited,
status=0/SUCCESS)
Process: 72346 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat
(code=exited, status=0/SUCCESS)
Process: 72343 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat
(code=exited, status=0/SUCCESS)
Main PID: 72469 (java)
Tasks: 115 (limit: 23443)
Memory: 450.0M
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/[email protected]
└─72469 /usr/lib/jvm/java-1.8.0-openjdk/bin/java
-Dcom.redhat.fips=false -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/a>
sept. 09 15:00:58 identity.infra.microbiome.studio java[72364]:
usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
sept. 09 15:01:00 identity.infra.microbiome.studio systemd[1]: Started PKI
Tomcat Server pki-tomcat.
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: Java virtual
machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: classpath
used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.j>
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: main class
used: org.apache.catalina.startup.Bootstrap
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: flags used:
-Dcom.redhat.fips=false
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki->
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: arguments
used: start
sept. 09 15:01:01 identity.infra.microbiome.studio java[72469]:
usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
sept. 09 15:01:02 identity.infra.microbiome.studio server[72469]: WARNING: Some
of the specified [protocols] are not supported by the SSL engine and have been
skipped: [[TLSv1, TLSv1.1]]
-------------------
LDAP (389) and web (8080) port seems to be used as expected:
-------------------
# netstat -tunelp
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat
Utilisatr Inode PID/Program name
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN
0 109422 72100/kadmind
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
0 16896 1/systemd
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN
0 109418 72100/kadmind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
0 28217 1433/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN
0 111080 72041/krb5kdc
tcp6 0 0 127.0.0.1:8005 :::* LISTEN
17 112610 72469/java
tcp6 0 0 :::389 :::* LISTEN
0 110760 71946/ns-slapd
tcp6 0 0 ::1:8009 :::* LISTEN
17 113337 72469/java
tcp6 0 0 127.0.0.1:8009 :::* LISTEN
17 113335 72469/java
tcp6 0 0 :::749 :::* LISTEN
0 109423 72100/kadmind
tcp6 0 0 :::111 :::* LISTEN
0 16898 1/systemd
tcp6 0 0 :::8080 :::* LISTEN
17 113329 72469/java
tcp6 0 0 :::464 :::* LISTEN
0 109419 72100/kadmind
tcp6 0 0 :::22 :::* LISTEN
0 28219 1433/sshd
tcp6 0 0 :::88 :::* LISTEN
0 111081 72041/krb5kdc
tcp6 0 0 :::8443 :::* LISTEN
17 113333 72469/java
udp 0 0 127.0.0.1:323 0.0.0.0:*
0 105961 71724/chronyd
udp 0 0 0.0.0.0:464 0.0.0.0:*
0 109414 72100/kadmind
udp 0 0 0.0.0.0:88 0.0.0.0:*
0 111076 72041/krb5kdc
udp 0 0 0.0.0.0:111 0.0.0.0:*
0 16897 1/systemd
udp6 0 0 ::1:323 :::*
0 105962 71724/chronyd
udp6 0 0 :::464 :::*
0 109415 72100/kadmind
udp6 0 0 :::88 :::*
0 111077 72041/krb5kdc
udp6 0 0 :::111 :::*
0 16899 1/systemd
-------------------
389 Directory seems to be ok:
-------------------
dsctl INFRA-MICROBIOME-STUDIO status
Instance "INFRA-MICROBIOME-STUDIO" is running
-------------------
The file /var/lib/pki/pki-tomcat/logs/ca/debug.2021-09-09.log ands with:
-------------------
...
2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz manager instance
DirAclAuthz added
2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz initialization done.
2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring servlet certificate
nickname
2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring excluded LDAP attributes
2021-09-09 15:01:09 [main] INFO: CA engine started
-------------------
And /var/lib/pki/pki-tomcat/logs/pki/debug.2021-09-09.log is empty
It seems that they are any ssl certificate into ls
/var/lib/pki/pki-tomcat/conf/*
-------------------
/var/lib/pki/pki-tomcat/conf/catalina.policy
/var/lib/pki/pki-tomcat/conf/logging.properties
/var/lib/pki/pki-tomcat/conf/server.xml
/var/lib/pki/pki-tomcat/conf/catalina.properties
/var/lib/pki/pki-tomcat/conf/password.conf
/var/lib/pki/pki-tomcat/conf/tomcat.conf
/var/lib/pki/pki-tomcat/conf/context.xml
/var/lib/pki/pki-tomcat/conf/serverCertNick.conf
/var/lib/pki/pki-tomcat/conf/web.xml
/var/lib/pki/pki-tomcat/conf/alias:
ca.crt cert9.db key4.db pkcs11.txt
/var/lib/pki/pki-tomcat/conf/ca:
adminCert.profile archives caAuditSigningCert.profile caCert.profile
caOCSPCert.profile CS.cfg CS.cfg.bak flatfile.txt proxy.conf registry.cfg
serverCert.profile subsystemCert.profile
/var/lib/pki/pki-tomcat/conf/Catalina:
localhost
-------------------
So what can I to do in order to get freeipa running on RockyLinux ?
Thanks for your help
Have a good day
Jonathan
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
