Bret Wortman wrote:

On 04/28/2014 11:17 AM, Rob Crittenden wrote:
Bret Wortman wrote:
So is there a recommended way to clean it up and get it working?

Re-run pkidestroy, then if the subsequent IPA install fails closely
examine the logs to determine the reason. The problem in cases like
this is that the first install fails and subsequent installs mask the
original failure with this PKI re-install failure.

rob

Okay, here's the log from when it starts configuring PKI:

2014-04-28T15:23:45Z DEBUG   [2/22]: configuring certificate server
instance
2014-04-28T15:23:45Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpdCm6rt):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki-backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-rVoTR2
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=FOO.NET
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject+dn = cn=CA Subsystem,O=FOO.NET
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=FOO.NET
pki_ssl_server_subject_dn = cn=zsipa.foo.net,O=FOO.NET
pki_audit_signing_subject_dn = cn=CA Audit,O=FOO.NET
pki_ca_signing_subject_dn = cn-Certificate Authority,O=FOO.NET
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca


2014-04-28T15:23:45Z DEBUG Starting external process
2014-04-28T15:23:45Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt
2014-04-28T15:23:45Z DEBUG Process finished, return code=1
2014-04-28T15:23:45Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpdCm6rt.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg

Installation failed.


2014-04-28T15:24:46Z DEBUG stderr=pkispawn     : ERROR   ....... server
failed to restart

2014-04-28T15:24:46Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpdCm6rt' returned non-zero exit
status 1
2014-04-28T15:24:46Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 622, in run_script
     return_value = main_function()

   File "/usr/sbin/ipa-server-install", line 1074, in main
     dm_password, subject_base=options.subject)

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
478, in configure_instance
     self.start_creation(runtime=210)

   File "/usr/lib/python2.7/site-packages/ipaserver/isntall/service.py",
line 364, in start_creation
     method()

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
604, in __spawn_instance
     raise RUntimeError('Configuration of CA failed')


2014-04-28T15:24:46Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed

And that's the end of the log. Nothing here looks terribly informative
to me, and this is what the log looks like every time I look at it.


The error is different whether there is an existing PKI instance or not.

The next set of logs to look at are in /var/log/pki. It says there is a startup failure so I'd start with /var/log/pki/pki-tomcat/catalina.out . Also interesting may be the pki-ca-spawn and debug logs found within that directory structure.

I'd also look for SELinux errors with ausearch -m AVC -ts recent

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to