Natxo Asenjo wrote:
On Mon, Dec 3, 2012 at 4:50 PM, Rob Crittenden <> wrote:
Natxo Asenjo wrote:


I have a 6.3 centos server that has been upgraded since 6.1. According
to the ipaserver-install.log, I installed it on feb 3 2012 so it has
been upgraded at least once.

Now that I have more hardware to run a few more vm's I can test
replicas. But apparently I am running into this problem:

I have exactly the same error:

2012-10-17T22:07:50Z DEBUG stderr=
2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f
-client_certdb_pwd XXXXXXXX -preop_pin w53uYQUJBSyYNddpO5Xk
-domain_name IPA -admin_user admin -admin_email root@localhost
-admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM
-ldap_host -ldap_port 7389 -bind_dn cn=Directory
Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM
-external false -clone true -clone_p12_file ca.p12 -clone_p12_password
XXXXXXXX -sd_hostname -sd_admin_port 443
-sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
-clone_uri' returned non-zero exit
status 255

My realm realm is different, but the rest is the same.

Apparently there is a newer ou ou=csusers somewhere (this is what I
understand from the bugzilla), but I am not sure where it must be
created. Is it in the the ipa slapd or in the pki slapd? When I log in
as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config
anywhere in the directory tree.

Any clues?

It is likely not the same bug. The output from the installer on failures is
rather generic (and granted, awful).

You'll need to look at the full /var/log/ipaserver-install.log for clues.
Sometimes we need to examine /var/log/pki-ca/debug as well.

a bit late, but here is the output of /var/log/ipareplica-install.log
en /var/log/pki-ca/debug ; I did not find a
/var/log/ipaserver-install.log in the replica server.

The dogtag installer is failing with the error "The pkcs12 file is not correct." I'll need to defer to a dogtag engineer to explain what this means, and how to fix it.


Freeipa-users mailing list

Reply via email to