I am trying to install freeipa 2.1.3-9 with external CA and it failed.

Any help is appreciated and thanks in advance!

[ ~]# ipa-server-install
--external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt

The log file for this installation can be found in
Directory Manager password:

This program will set up the IPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)

Excluded by options:
* Configure the Network Time Daemon (ntpd)

To accept the default shown in brackets, press the Enter key.

The IPA Master Server will be configured with
IP address: x.x.x.x
Domain name:

Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: configuring certificate server instance
[3/16]: disabling nonces
[4/16]: creating CA agent PKCS#12 file in /root
[5/16]: creating RA agent certificate database
[6/16]: importing CA chain to RA certificate database
[7/16]: fixing RA database permissions
[8/16]: setting up signing cert profile
[9/16]: set up CRL publishing
[10/16]: set certificate subject base
[11/16]: configuring certificate server to start on boot
[12/16]: restarting certificate server
[13/16]: requesting RA certificate from CA
[14/16]: issuing RA agent certificate
*Unexpected error - see ipaserver-install.log for details:
Command '/usr/bin/sslget -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-aZzm2V
-r /ca/agent/ca/profileReview?requestId=6'
returned non-zero exit status 4*

*[ ~]# /usr/bin/sslget -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 -v
GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0*

port: 9443
Issuer : CN=Certificate Authority,
Called mygetclientauthdata - nickname = ipa-ca-agent
mygetclientauthdata - cert = 9716d0
mygetclientauthdata - privkey = 9b6f10
*exit after PR_Write bigBuf with error -12271:*

This error means: SSL client cannot verify your certificate

Does /tmp/tmp-aZzm2V exist after the failure? I'd have thought it would be cleaned up. If so it holds the temporary NSS cert db we use during the installation and may tell us why there are trust problems.

A place to start is to list the certs in there:
# certutil -L -d /tmp/tmp-aZzm2V

I see in the log below our adding trust to a couple of certs. I assume that the entire CA chain is included in /root/ca.crt?


*/va/log/ipaserver-install.log information*

2012-05-21 16:54:58,852 DEBUG duration: 1 seconds
2012-05-21 16:54:58,852 DEBUG [14/16]: issuing RA agent certificate
2012-05-21 16:54:58,866 DEBUG args=/usr/bin/certutil -d /tmp/tmp-aZzm2V
-f XXXXXXXX -M -t CT,C,C -n System Engineering - Currenex, Inc.
2012-05-21 16:54:58,867 DEBUG stdout=
2012-05-21 16:54:58,867 DEBUG stderr=
2012-05-21 16:54:58,873 DEBUG args=/usr/bin/certutil -d /tmp/tmp-aZzm2V
-f XXXXXXXX -M -t CT,C,C -n Certificate Authority - Currenex, Inc.
2012-05-21 16:54:58,874 DEBUG stdout=
2012-05-21 16:54:58,874 DEBUG stderr=
2012-05-21 16:54:58,909 DEBUG args=/usr/bin/sslget -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
2012-05-21 16:54:58,909 DEBUG stdout=
2012-05-21 16:54:58,909 DEBUG stderr=
2012-05-21 16:54:59,067 DEBUG Command '/usr/bin/sslget -n ipa-ca-agent
-p XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6' returned non-zero exit status 4
File "/usr/sbin/ipa-server-install", line 1151, in <module>

File "/usr/sbin/ipa-server-install", line 975, in main

File "/usr/lib/python2.6/site-packages/ipaserver/install/",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)

File "/usr/lib/python2.6/site-packages/ipaserver/install/",
line 248, in start_creation

File "/usr/lib/python2.6/site-packages/ipaserver/install/",
line 755, in __issue_ra_cert
(stdout, stderr, returncode) =,

File "/usr/lib/python2.6/site-packages/ipapython/", line 273,
in run
raise CalledProcessError(p.returncode, args)

Description: Edit/Delete Message

The information contained in this e-mail (including any attachments) is
intended solely for the use of the intended recipient(s), may be used
solely for the purpose for which it was sent, may contain confidential,
proprietary, or personally identifiable information, and/or may be
subject to the attorney-client or attorney work product privilege or
other applicable confidentiality protections. If you are not an intended
recipient please notify the author by replying to this e-mail and delete
this e-mail immediately. Any unauthorized copying, disclosure,
retention, distribution or other use of this email, its contents or its
attachments is strictly prohibited.

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to