On 05/14/2015 01:02 PM, Martin Kosek wrote:
On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote:
Hello,
I've been put in charge of implementing a solution that uses LDAP and kerberos
authentication. At first thought I should use openLDAP and Kerberos but found
freeIPA and looks really cool, however, when trying to install I keep getting
this error about configuration of CA:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
ipa : CRITICAL Failed to restart the directory server. See the
installation log for details.
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/20]: creating certificate server user
[2/20]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445
-client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin
f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL
-ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.!
L!
OCAL -ca_a
udit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL
-ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external
false -clone false' returned non-zero exit status 255
Configuration of CA failed
I'm including two install logs, one with dns-setup and the other without it.
Don't really know what I'm doing wrong, thought maybe I should allow
connections to certain ports in ip tables or something but have no clue really
and I'm quite new to this, help please..
Regards,
Remigio
Hello,
What platform are you using (Fedora? CentOS? RHEL?) and what version of FreeIPA
are you using?
We still have not received answer for that part, though it is obvious the
platform will be something RHEL-6.x derived.
Also, I following error in the log
java.net.ConnectException: Connection refused
So it seems some port is occupied. Is your port 8443 occupied? Maybe by running
httpd daemon before the installation?
Martin
Looking at the dirsrv log that Remigio sent me privately, it does not look that
8443 is to blame.
It is, however, really strange that ipaserver-install.log reports that DS
restart fails with following error, even though DS says it is listening on that
port:
2015-05-14T09:28:49Z CRITICAL Failed to restart the directory server. See the
installation log for details.
Could it be maybe a SELinux based problem? You can check for AVCs with
# ausearch -m avc -ts today
Final suggestion: this does not solve the root cause, but I would really
suggest doing the installation on RHEL/CentOS 7.1 as it contains FreeIPA 4.1
which is much better than the old FreeIPA 3.0 present in RHEL-6.x. This is our
general recommendation for new deployments anyway.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
