On Mon, Mar 26, 2012 at 15:53, Rob Crittenden <rcrit...@redhat.com> wrote: > Dan Scott wrote: >> >> Hi, >> >> I'm having another replica CA install issue. Fedora 16 with latest >> updates applied this morning: >> >> ipa-ca-install replica-info-fileserver4.example.com.gpg >> >> [snip] >> >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> [1/11]: creating certificate server user >> [2/11]: creating pki-ca instance >> [3/11]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >> 'fileserver4.example.com' '-cs_port' '9445' '-client_certdb_dir' >> '/tmp/tmp-w8FRe5' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >> 'zIK3zLWJhhdzciy3HiE3' '-domain_name' 'IPA' '-admin_user' 'admin' >> '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX >> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >> '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=EXAMPLE.COM' '-ldap_host' 'fileserver4.example.com' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=EXAMPLE.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=EXAMPLE.COM' '-ca_server_cert_subject_name' >> 'CN=fileserver4.example.com,O=EXAMPLE.COM' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=EXAMPLE.COM' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=EXAMPLE.COM' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' XXXXXXXX '-sd_hostname' >> 'fileserver1.example.com' '-sd_admin_port' '443' '-sd_admin_name' >> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >> '-clone_uri' 'https://fileserver1.example.com:443'' returned non-zero >> exit status 255 >> creation of replica failed: Configuration of CA failed >> >> /var/log/ipareplica-ca-install.log contains: >> >> <errorString>org.xml.sax.SAXParseException; lineNumber: 1; >> columnNumber: 50; White spaces are required between publicId and >> systemId.</errorString> >> >> 2012-03-26 14:22:36,714 DEBUG Configuration of CA failed >> File "/usr/sbin/ipa-ca-install", line 157, in<module> >> main() >> >> File "/usr/sbin/ipa-ca-install", line 142, in main >> (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1136, in install_replica_ca >> subject_base=config.subject_base) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 537, in configure_instance >> self.start_creation("Configuring certificate server", 210) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 248, in start_creation >> method() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 680, in __configure_instance >> raise RuntimeError('Configuration of CA failed') >> >> /var/log/pki-ca/debug contains: >> >> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: validating >> SSL Admin HTTPS . . . >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: pingCS: parser >> failedorg.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; >> White spaces are required between publicId and systemId. >> [26/Mar/2012:14:22:36][http-9445-2]: SecurityDomainPanel: pingAdminCS >> no successful response for SSL Admin HTTPS >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase >> getCertChainUsingSecureAdminPort start >> [26/Mar/2012:14:22:36][http-9445-2]: >> WizardPanelBase::getCertChainUsingSecureAdminPort() - >> Exception=org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: >> 50; White spaces are required between publicId and systemId. >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase: >> getCertChainUsingSecureAdminPort: java.io.IOException: >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >> spaces are required between publicId and systemId. >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: started >> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet:service() uri = >> /ca/admin/ca/getStatus >> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: caGetStatus start to >> service. >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: got XML >> parsed >> [26/Mar/2012:14:22:36][http-9445-2]: WizardPanelBase pingCS: state=0 >> [26/Mar/2012:14:22:36][http-9445-2]: panel no=3 >> [26/Mar/2012:14:22:36][http-9445-2]: panel name=securitydomain >> [26/Mar/2012:14:22:36][http-9445-2]: total number of panels=19 >> [26/Mar/2012:14:22:36][http-9445-2]: WizardServlet: found xml >> [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type >> org.apache.catalina.connector.ResponseFacade >> [26/Mar/2012:14:22:36][http-9445-2]: Error: unknown type >> org.apache.catalina.connector.RequestFacade >> [26/Mar/2012:14:22:36][http-9445-1]: CMSServlet: curDate=Mon Mar 26 >> 14:22:36 EDT 2012 id=caGetStatus time=13 >> >> I found a SELinux error: >> >> type=AVC msg=audit(1332788252.062:222): avc: denied { name_connect } >> for pid=3042 comm="java" dest=43323 >> scontext=system_u:system_r:pki_ca_t:s0 >> tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket >> >> But the install still failed in the same way after I put SELinux into >> enforcing mode. > > > I assume you mean you set it to permissive mode?
Yes, sorry. > What about /var/log/ipareplica-ca-install.log, what is at the end of that? The errors from that are in the second part of the message above. Right after the console output and before /var/log/pki-ca/debug Thanks, Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users