On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: > I'm trying to install an IPA server using an external CA. > > I ran the ipa-server-install --external-ca command, and got my cert > signed by our on-site CA. > > So then I go back to install using my certs: > > ipa-server-install --external_cert_file=/root/ipa.cer > --external_ca_file=/root/CACert.cer > > > I get this for output: > > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 > seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir > /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin > nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email > root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host > lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory > Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name > CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name > CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU > -ca_server_cert_subject_name > CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU > -ca_audit_signing_cert_subject_name CN=CA > Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name > CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true > -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file > /root/CACert.cer -clone false' returned non-zero exit status 255 > Configuration of CA failed > > > [root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# tail > /var/log/ipaserver-install.log > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 617, in configure_instanceConfiguring certificate server > (pki-cad): Estimated time 3 minutes 30 seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir > /tmp/tmp-cQZB3x -client_certdb_pwd XXXXXXXX -preop_pin > nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email > root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host > lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory > Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name > CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name > CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU > -ca_server_cert_subject_name > CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU > -ca_audit_signing_cert_subject_name CN=CA > Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name > CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true > -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file > /root/CACert.cer -clone false' returned non-zero exit status 255 > Configuration of CA failed > [root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# tail > /var/log/ipaserver-install.log > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 617, in configure_instance > self.start_creation(runtime=210) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line > 358, in start_creation > method() > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 879, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > self.start_creation(runtime=210) > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line > 358, in start_creation > method() > > File > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", > line 879, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > > > 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > > Any thoughts on what I can do to troubleshoot this? > > Thanks. > > -Kenny > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
Several questions: 1) package and os version/distro? 2) what is in httpd logs? 3) what is in pki logs? The names and locations of the logs partially depend on the answer to the first question. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users