On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,

I want setup freeipa 4.1.3 on a fresh installed fedora 21.

The ipa-server-install shows the following output:

Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3
minutes 30

     [1/27]: creating certificate server user
     [2/27]: configuring certificate server instance
     [3/27]: stopping certificate server instance to update CS.cfg
     [4/27]: backing up CS.cfg
     [5/27]: disabling nonces
     [6/27]: set up CRL publishing
     [7/27]: enable PKIX certificate path discovery and validation
     [8/27]: starting certificate server instance
     [error] RuntimeError: CA did not start in 300.0s

CA did not start in 300.0s

The ipa server install log shows this:

2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted
2015-03-31T17:39:35Z DEBUG Waiting for CA to start...


I uninstalled the ipa server completely several times and installed
it again.
But it always stops at the same step with the setup.

Can anybody help?

Based on the IPA install log alone it looks like the DS is already
started, and the Dogtag is already started too in step [3/27]. It's the
restart on step [8/27] that is failing.

We will need to see the Dogtag debug log in order to know if Dogtag is
indeed failing to restart or the installer for some reason cannot
connect to Dogtag.

Hi Markus,

Based on the logs that you sent me, the Dogtag took a really long time
to start:

    INFORMATION: Server startup in 739700 ms

More than half of that time was spent starting the CA subsystem alone:

    INFORMATION: Deployment of configuration descriptor /etc/pki
    /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms

The whole (failed) IPA installation took about 38 minutes. Is this correct?

It's possible the system was running out of entropy. You might want to
install haveged or rngd. See:

However, the system seems to be running very slowly in general. How
powerful is this machine?

Hi Endi

the system is a banana pi system. Seems that this ARM CPU based system isn't
suitable for FreeIPA....

The installation might still succeed if IPA doesn't have the 300s time limit. If you want to try, you probably can specify a larger startup_timeout in ~/.ipa/default.conf, or change the code in ipaplatform/redhat/services.py to wait indefinitely, and see what happens. I don't know if it will be usable though.

Endi S. Dewata

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to