On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
Thank you very much for your quick reply.

It is a brand new fedora 20 vm.

OK good.
Can you send or share the ipa server installation log?

Are you using a cert from AD and trying to chain to an AD CA?



There is nothing that's running on port 443.

catalina.out is empty
system file is attached and reports that certificate is not in pkcs11 format.
pki-ca-spaw.XX.log does not appear to report errors  (also attached)

Please let me know if I can enable any other debugging into that might be useful in figuring this out.

Thank you.


On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
    Can somebody help with the following problem(s) I’ve encountered
    while trying to install the freeipa server?

    Problem #1:
    On fedora 20, I have:
    1. using yum install acquired the free-ipa-server package.
    2. ran ipa-server-install
    — that has failed with “CA did not start in 300s”

    One thing that’s noticeable in the logs (the snippet is included
    below) is that request for request
    'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
    <https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27>

    has 443 as port as for before all the requests for 8443 (e.g..,
    same (manual) request on port 8443 succeeds). Seems like an
    install script somewhere has the wrong port ?

    443 is the right port.
    Do you have something already running on the same box on that port?
    That might prevent things from installing and running.

    Please try on a clean machine or VM.
    Also more logs will be helpful.
    Please see this [1] on how to troubleshoot.

    The second problem is most likely an artifact of the incomplete
    install.

    [1] http://www.freeipa.org/page/Troubleshooting


    2014-09-08T19:21:07Z DEBUG Waiting for CA to start...

    2014-09-08T19:21:08Z DEBUG request
    'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'

    2014-09-08T19:21:08Z DEBUG request body ''

    2014-09-08T19:21:08Z DEBUG request status 503

    2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
    Unavailable'

    2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep
    2014 19:21:08 GMT', 'content-length': '299', 'content-type':
    'text/html; charset=iso-8859-1', 'connection': 'close', 'server':
    'Apache/2.4.10 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6
    NSS/3.15.3 Basic ECC mod_wsgi/3.5
    Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '<!DOCTYPE
    HTML PUBLIC "-//IETF//DTD HTML
    2.0//EN">\n<html><head>\n<title>503 Service
    Unavailable</title>\n</head><body>\n<h1>Service
    Unavailable</h1>\n<p>The server is temporarily unable to service
    your\nrequest due to maintenance downtime or capacity\nproblems.
    Please try again later.</p>\n</body></html>\n'

    2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable


    Problem #2:
    The next problem I’m encountering and doesn’t seem to be related
    to the CA setup is on the next step of “kinit admin”. It fails
    with “generic pre authentication failure while getting initial
    credentials"

    stracing kinit show that it tried to open file
    “/var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET
    <http://kdcinfo.gateway.2wire.net/>”) and fails with “no such
    file” error.  “pubconf” dir only has empty “krb5.include.d”.

    I don’t know if this failure is due to the fact that the setup
    didn’t run all the way and some configuration is missing or this
    is a separate issue .

    Are these bugs that need to be filled with bugzilla or am I doing
    something incorrectly?

    Any help would be appreciated.

    Thank you.




-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to