Re: [Freeipa-users] external CA install problem

Fri, 19 Jul 2013 17:51:46 -0700 

On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote:
> I'm trying to install an IPA server using an external CA.
>
> I ran the ipa-server-install --external-ca command, and got my cert
> signed by our on-site CA.
>
> So then I go back to install using my certs:
>
> ipa-server-install --external_cert_file=/root/ipa.cer
> --external_ca_file=/root/CACert.cer
>
>
> I get this for output:
>
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir
> /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin
> nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email
> root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host
> lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name
> CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name
> CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU
> -ca_server_cert_subject_name
> CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU
> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name
> CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true
> -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file
> /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
>
>
> [root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# tail
> /var/log/ipaserver-install.log
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 617, in configure_instanceConfiguring certificate server
> (pki-cad): Estimated time 3 minutes 30 seconds
>   [1/20]: creating certificate server user
>   [2/20]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir
> /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin
> nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email
> root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host
> lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory
> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12
> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name
> CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name
> CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU
> -ca_server_cert_subject_name
> CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU
> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name
> CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true
> -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file
> /root/CACert.cer -clone false' returned non-zero exit status 255
> Configuration of CA failed
> [root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# tail
> /var/log/ipaserver-install.log
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 617, in configure_instance
>     self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>     method()
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>     self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
> 358, in start_creation
>     method()
>
>   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 879, in __configure_instance
>     raise RuntimeError('Configuration of CA failed')
>
>
>
> 2013-07-19T17:02:51Z INFO The ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
>
> Any thoughts on what I can do to troubleshoot this?
>
> Thanks.
>
> -Kenny
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Several questions:
1) package and os version/distro?
2) what is in httpd logs?
3) what is in pki logs?

The names and locations of the logs partially depend on the answer to
the first question.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to