On 05/14/2015 01:02 PM, Martin Kosek wrote:
On 05/14/2015 11:58 AM, Remigio Moncayo Serrano wrote:
Hello,

I've been put in charge of implementing a solution that uses LDAP and kerberos 
authentication. At first thought I should use openLDAP and Kerberos but found 
freeIPA and looks really cool, however, when trying to install I keep getting 
this error about configuration of CA:

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
   [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the 
installation log for details.
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
   [1/20]: creating certificate server user
   [2/20]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname ipatest.ingenia.local -cs_port 9445 
-client_certdb_dir /tmp/tmp-ARezzO -client_certdb_pwd XXXXXXXX -preop_pin 
f0dLhx9bLX5qWHYx50h6 -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=INGENIA.LOCAL -ldap_host ipatest.ingenia.local -ldap_port 
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca 
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=INGENIA.LOCAL 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INGENIA.LOCAL 
-ca_server_cert_subject_name CN=ipatest.ingenia.local,O=INGENIA.!
L!
  OCAL -ca_a
udit_signing_cert_subject_name CN=CA Audit,O=INGENIA.LOCAL 
-ca_sign_cert_subject_name CN=Certificate Authority,O=INGENIA.LOCAL -external 
false -clone false' returned non-zero exit status 255
Configuration of CA failed

I'm including two install logs, one with dns-setup and the other without it. 
Don't really know what I'm doing wrong, thought maybe I should allow 
connections to certain ports in ip tables or something but have no clue really 
and I'm quite new to this, help please..

Regards,

Remigio

Hello,

What platform are you using (Fedora? CentOS? RHEL?) and what version of FreeIPA
are you using?

We still have not received answer for that part, though it is obvious the platform will be something RHEL-6.x derived.


Also, I following error in the log
java.net.ConnectException: Connection refused
So it seems some port is occupied. Is your port 8443 occupied? Maybe by running
httpd daemon before the installation?

Martin


Looking at the dirsrv log that Remigio sent me privately, it does not look that 8443 is to blame.

It is, however, really strange that ipaserver-install.log reports that DS restart fails with following error, even though DS says it is listening on that port:

2015-05-14T09:28:49Z CRITICAL Failed to restart the directory server. See the installation log for details.

Could it be maybe a SELinux based problem? You can check for AVCs with

# ausearch -m avc -ts today

Final suggestion: this does not solve the root cause, but I would really suggest doing the installation on RHEL/CentOS 7.1 as it contains FreeIPA 4.1 which is much better than the old FreeIPA 3.0 present in RHEL-6.x. This is our general recommendation for new deployments anyway.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to