shabahang elmian wrote:
Hello,
I would be thankful if some one can help me to resolve the problem.

We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is.

It would appear that the CA process didn't start.

Details on your versions of ipa-server and pki-ca would be helpful too.

rob


Shabahang

------------------------------------------------------------------------
*From:* shabahang elmian <eshabah...@yahoo.com>
*To:* Rob Crittenden <rcrit...@redhat.com>
*Cc:* "freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Sent:* Sunday, April 29, 2012 12:21 PM
*Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA

[2012-04-23 17:07:32] [debug]
set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser,
pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] Processing PKI security modules for
'/var/lib/pki-ca' ...
[2012-04-23 17:07:32] [debug] Attempting to add hardware security
modules to system if applicable ...
[2012-04-23 17:07:32] [debug] module name: lunasa lib:
/usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] module name: nfast lib:
/opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] configuring SELinux ...
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9180. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9701. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9443. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9444. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9446. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9445. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9447. Port already defined otherwise.
[2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to
run semanage.
[2012-04-23 17:07:34] [debug] Running restorecon commands
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/usr/share/java/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/usr/share/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/lib/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/run/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/log/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/etc/pki-ca)
[2012-04-23 17:07:34] [debug] Installation manifest:
/var/lib/pki-ca/install_info
[2012-04-23 17:07:34] [debug] The following was performed:
Installed Files:
/etc/pki-ca/CS.cfg
...
.
.
/var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
Removed Items:
/etc/pki-ca/noise
/etc/pki-ca/pfile

[2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart
pki-cad@pki-ca.service)
[2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart
pki-cad@pki-ca.service"), exit status=1 output="Job failed. See system
logs and 'systemctl status' for details."
[2012-04-23 17:07:34] [log] Configuration Wizard listening on
https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
[2012-04-23 17:07:34] [log] After configuration, the server can be
operated by the command:
/bin/systemctl restart pki-cad@pki-ca.service
[root@ipa ~]#

[root@ipa system]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!

Are you sure you want to continue with the uninstall procedure? [no]: y
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA directory server
[root@ipa system]#
[root@ipa system]#
[root@ipa system]# > /var/log/audit/audit.log
[root@ipa system]#
[root@ipa system]#
[root@ipa system]# ipa-server-install --setup-dns

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.mtnirancell.ir]:

Warning: skipping DNS resolution of host ipa.mtnirancell.ir
The domain name has been calculated based on the host name.

Please confirm the domain name [mtnirancell.ir]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [MTNIRANCELL.IR]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder:
No DNS forwarders configured
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [58.131.10.in-addr.arpa.]:
Using reverse zone 58.131.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname: ipa.mtnirancell.ir
IP address: 10.131.58.43
Domain name: mtnirancell.ir
Realm name: MTNIRANCELL.IR

BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 58.131.10.in-addr.arpa.

Continue to configure the system with these values? [no]: y

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 minutes 30
seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 33 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir'
'-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_'
'-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs'
'-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent'
'-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX'
XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name'
'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR'
'-external' 'false' '-clone' 'false'' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
Configuration of CA failed
[root@ipa system]# cat /var/log/audit/audit.log
type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="dirsrv@PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=?
res=success'
[root@ipa system]#

shabahang


------------------------------------------------------------------------
*From:* Rob Crittenden <rcrit...@redhat.com>
*To:* shabahang elmian <eshabah...@yahoo.com>
*Cc:* "freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Sent:* Monday, April 23, 2012 8:16 PM
*Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA

shabahang elmian wrote:
 > Hello,
 > There is a problem on configuring FreeIPA.
 > would you please help.
 >
 > please find following :
 >
 > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds
 > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server
 > instance
 > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent
 > ConfigureCA -cs_hostname ipa.mtnirancell.ir
<http://ipa.mtnirancell.ir> -cs_port 9445
 > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX
 > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin
 > -admin_email root@localhost -admin_password XXXXXXXX -agent_name
 > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
 > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host
 > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager
 > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size
 > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
 > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
 > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
 > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
 > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
 > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
 > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
 > -external false -clone false
 > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64
 > #######################################################################
 > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR
 > tokenpwd:XXXXXXXX
 > #############################################
 > Attempting to connect to: ipa.mtnirancell.ir:9445
 > Exception in LoginPanel(): java.lang.NullPointerException
 > ERROR: ConfigureCA: LoginPanel() failure
 > ERROR: unable to create CA
 > #######################################################################
 > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send
 > Request:java.net.ConnectException: Connection refused
 > java.net <http://java.net.Co>.ConnectException: Connection refused
 > at java.net
<http://java.net.PlainSocketImpl.so>.PlainSocketImpl.socketConnect(Native 
Method)
 > at
 > java.net
<http://java.net.AbstractPlainSocketImpl.do>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
 > at
 > java.net
<http://java.net.AbstractPlainSocketImpl.co>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
 > at
 >
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
 > at java.net
<http://java.net.SocksSocketImpl.co>.SocksSocketImpl.connect(SocksSocketImpl.java:384)
 > at java.net <http://java.net.Socket.co>.Socket.connect(Socket.java:546)
 > at java.net.Socket.connect(Socket.java:495)
 > at java.net.Socket.<init>(Socket.java:392)
 > at java.net.Socket.<init>(Socket.java:235)
 > at HTTPClient.sslConnect(HTTPClient.java:326)
 > at ConfigureCA.LoginPanel(ConfigureCA.java:244)
 > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
 > at ConfigureCA.main(ConfigureCA.java:1672)
 > java.lang.NullPointerException
 > at ConfigureCA.LoginPanel(ConfigureCA.java:245)
 > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
 > at ConfigureCA.main(ConfigureCA.java:1672)
 >
 > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance
 > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
 > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR
 > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA
 > -domain_name IPA -admin_user admin -admin_email root@localhost
 > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size
 > 2048 -agent_key_type rsa -agent_cert_subject
 > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir
 > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
 > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type
 > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
 > -subsystem_name pki-cad -token_name internal
 > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR
 > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR
 > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR
 > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR
 > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR
 > -external false -clone false' returned non-zero exit status 255
 > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed
 > File "/usr/sbin/ipa-server-install", line 1173, in <module>
 > rval = main()
 >
 > File "/usr/sbin/ipa-server-install", line 974, in main
 > subject_base=options.subject)
 >
 > File
 > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
 > line 537, in configure_instance
 > self.start_creation("Configuring certificate server", 210)
 >
 > File
 > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
 > line 248, in start_creation
 > method()
 >
 > File
 > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
 > line 677, in __configure_instance
 > raise RuntimeError('Configuration of CA failed')
 >
 > please note :
 >
 > [root@ipa ~]# uname -a
 > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21
 > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
 > [root@ipa ~]# cat /etc/redhat-release
 > Fedora release 16 (Verne)
 > [root@ipa ~]#

It would appear that the CA silent installer (pki-silent) couldn't talk
to the CA. There are more logs in /var/log/pki-ca that may hold more
information on why.

You might also want to look for any new AVCs in /var/log/audit/audit.log.

regards

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to