On Tue, 30 Sep 2014, Rob Crittenden wrote:
Jan Pazdziora wrote:
On Tue, Sep 30, 2014 at 06:19:37AM -0700, Janelle wrote:
Hi,

I'm new to IPA - and was trying out the newest version of 4.0.3 with Fedora
Server 21 testing -- it continues to die during the install at:

Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
  [1/26]: creating certificate server user
  [2/26]: configuring certificate server instance
  [3/26]: stopping certificate server instance to update CS.cfg
  [4/26]: backing up CS.cfg
  [5/26]: disabling nonces
  [6/26]: set up CRL publishing
  [7/26]: starting certificate server instance <--- consistently dies at
step 7

and checking install log show:

2014-09-29T21:14:30Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300

[...]

Would anyone have any ideas on finding out what is going on here? I see the
timeout of 5 minutes - but why waiting on ports that are not part of IPA?

But it *is* part of IPA, hence we wait for it to come up and fail if it
doesn't. The installer would just blow up later without dogtag running.
Dogtag messes up with SELinux labels when copying CS.cfg to back it up,
then SELinux AVC prevents it to do so, then a failure to copy causes
Dogtag to complain but the code in /usr/share/pki/scripts/operations is
syntactically incorrect and shell breaks its execution. This all results
in dogtag not being able to start.

I've filed a bug for the syntax error for pki-server and SELinux policy
fix is on its way to updates-testing. With that fix
(https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-84.fc21)
you can get over the issue and never trigger the syntax error in the
shell script.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to