On 04/28/2014 11:17 AM, Rob Crittenden wrote:
Bret Wortman wrote:
So is there a recommended way to clean it up and get it working?

Re-run pkidestroy, then if the subsequent IPA install fails closely examine the logs to determine the reason. The problem in cases like this is that the first install fails and subsequent installs mask the original failure with this PKI re-install failure.

rob

Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file (/tmp/tmpdCm6rt):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from /tmp/tmpdCm6rt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg

Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn : ERROR ....... server failed to restart

2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit status 1 2014-04-28T15:24:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1074, in main
    dm_password, subject_base=options.subject)

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance
    self.start_creation(runtime=210)

File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py", line 364, in start_creation
    method()

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 604, in __spawn_instance
    raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed

And that's the end of the log. Nothing here looks terribly informative to me, and this is what the log looks like every time I look at it.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to