So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up)
- fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. -- Matthew Davis
RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Thu, 15 Sep 2011 19:55:08 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ame>Key Pairs</Name></Panel><Panel><Id>subjectname</Id><Name>Subject Names</Name></Panel><Panel><Id>certrequest</Id><Name>Requests and Certificates</Name></Panel><Panel><Id>backupkeys</Id><Name>Export Keys and Certificates</Name></Panel><Panel><Id>savepk12</Id><Name>Save Keys and Certificates</Name></Panel><Panel><Id>importcachain</Id><Name>Import CA's Certificate Chain</Name></Panel><Panel><Id>admin</Id><Name>Administrator</Name></Panel><Panel><Id>importadmincert</Id><Name>Import Administrator's Certificate</Name></Panel><Panel><Id>done</Id><Name>Done</Name></Panel></Vector></panels><p>17</p><name>CA Setup Wizard</name><import>true</import><pkcs7>MIIHMwYJKoZIhvcNAQcCoIIHJDCCByACAQExADAPBgkqhkiG9w0BBwGgAgQAoIIHBDCCA3EwggJZoAMCAQICAQYwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDlaFw0xMzA5MDQxOTU1MDlaMC0xFDASBgNVBAoTC0lOTVlWQUMuQ09NMRUwEwYDVQQDEwxpcGEtY2EtYWdlbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt6S6FDiTJ/o32dXnrmidRS/aSC/FYTjY+hvMfhADO9Fr/vn3hid6ndV3oaDZYrPZi9vgocRCp4N16+wb1Vb3c4l37eTe8f0nwUfi/kwNkoFS9VxiJXxVeTLNbfIm3IVzy1lc0LmsqEV53Gi/G0RBTQlkN59FFsyJfyd5zez31Mf7BhpV9C4Vn/o8sKL+m2N7Ni7ZGU8csfXC8pVoDR4UhxgMdoLYP96G2yjVNvTA+F0xk5iGvr/5zB2zlRm8UL2DHSnX65OOWvSE44n9jOvfb9x03CuHTl1XFcJI5T2Y/WUobky5Rvmv/7uAbs+Ur0Zd3Xkc4w3dQbb614fNcW87xAgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLmlubXl2YWMuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAB+xT1uJ6k9OixhjYn6zQD1aJBLQ2/RR2zWssMdrmkP7DT0+GAUF7Y0G9pdEYpXS34raNz/lAqSGW0NnWKZxyLRVR47QZqW9MiRCe+0L64tGzRtj2sjsE/a09cf8MhwliIeWn0nHb/bSDHifdWY44qnYJydtm54XYR2Vom33pvN2FnofZRjz2i9cre/UuPyzcaCSR9SjEg4P1JdYAG8iHZ7/5SvLy67e7AR233m4wcT91wrAruDg3/JqYcpRtgxa3rm7bxObDHrCYUxHj3Z/k81F1uv5xl3b0jCrip5Vcc48c7df6gS1rt5YaBYjkcRAS3kXlLgnvCCwzPd3ggydndzCCA4swggJzoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDRaFw0xOTA5MTUxOTU1MDRaMDYxFDASBgNVBAoTC0lOTVlWQUMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m53R30h9YexZHG+z1yZpmM50qafPRyU73LP+EBJjDxOcDrBZUbSPXdCYyYU7b4n2bz4uDDfGjqP9rPwJZ96VJjqxHXnklWvrUU0fjrF0L5H5hBlk8zaMx//jLKDNfGTHeL510r2JUUaVp/Gqg8arzPkMWRqJOJ2rQnES9K5hSec3SNdnZ3NhyN8gZpjkkJb+bZGQyknb9tl5C7q/iCCDHyUF/hrVeo+4qO7PbV/lp4ZugujBU6K43+a94cspLm2aiEZXqKQonFjJw+dywMYcQgZRcmYtGQHos3jyNtHs60C1yxZ/KWB5UQyl4pbwicGArfSIUaQ96a5gmnGG6H53AgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLJT63UKWzrDHnhte5orjs4215+3MD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS5pbm15dmFjLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCqzTYygHnGR5jZj0q7za69cCobCucJIYyIksuYQ+9YMOxegTE1Ie9MS9poJAHFrAuNor/cNl+GAbvtKtxgApkB8oM+2edITaY6Hci5XgleyD/+CQfmRSfB+X9SZGO32gHNYpE2CthJZzYDI6K6VNAmp7LkT/ksbdMwkKb3uovI2S5sUDOHCC/s2YyoE4dv/LuGDBxQf5DZpSM4oosxbw6K28fZ91g7C9IFa1F0p4QpwBGvs/WoX6yglOBznWucg6PgBeG7Rn72FgR3F/gqs2KnIALOA3/WctJB8AaYS3dBwMMfqZzHAZjqq2FeiNFUX1yJI7rKprLyFY8238taMqNzMQA=</pkcs7><req></req><panelname>importadmincert</panelname> </response> ERROR: Tag=updateStatushas no values Error in AdminCertReqPanel(): updateStatus value is null ERROR: ConfigureCA: AdminCertReqPanel() failure ERROR: unable to create CA ####################################################################### 2011-09-15 15:55:09,542 DEBUG stderr=[Fatal Error] :20:136: The entity name must immediately follow the '&' in the entity reference. org.xml.sax.SAXParseException; lineNumber: 20; columnNumber: 136; The entity name must immediately follow the '&' in the entity reference. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) at ParseXML.parse(ParseXML.java:43) at ConfigureCA.getStatus(ConfigureCA.java:205) at ConfigureCA.checkStatus(ConfigureCA.java:221) at ConfigureCA.checkStatus(ConfigureCA.java:216) at ConfigureCA.AdminCertReqPanel(ConfigureCA.java:1029) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1309) at ConfigureCA.main(ConfigureCA.java:1672) 2011-09-15 15:55:09,542 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" -external false -clone false' returned non-zero exit status 255 2011-09-15 15:55:09,559 DEBUG Configuration of CA failed File "/usr/sbin/ipa-server-install", line 1081, in <module> sys.exit(main()) File "/usr/sbin/ipa-server-install", line 883, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 276, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 684, in __configure_instance raise RuntimeError('Configuration of CA failed')
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users