bahan w wrote:
Hello everyone.

@Rob, I checked indeed in the logs /var/log/pki-ca and there was a
problem, so I performed the pki-remove command :
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force

After this, I was able to reproduce my initial error with the permission
denied.
The permission denied was occuring because the /var logical volume had a
noexec option in the /etc/fstab.

Modifying this to exec solved my problem.
By the way, I'm not sure this is normal to execute script in /var. If I
remember well, it was not designed for this, am I wrong ?

Thank you everyone for your answers, it helped a lot.

Can you be more specific on what script was being executed? It sounds a bit odd but it may be instance-specific scripts.

rob
f

Best regards.

Bahan

On Mon, Jun 1, 2015 at 4:58 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    bahan w wrote:

        Hello everyone.

        I modified the /etc/selinux/config file :
        #########################################################
        # This file controls the state of SELinux on the system.
        # SELINUX=disabled
        #       enforcing - SELinux security policy is enforced.
        #       permissive - SELinux prints warnings instead of enforcing.
        #       disabled - SELinux is fully disabled.
        SELINUX=permissive
        # SELINUXTYPE= type of policy in use. Possible values are:
        #       targeted - Only targeted network daemons are protected.
        #       strict - Full SELinux protection.
        SELINUXTYPE=targeted
        #########################################################

        Then I rebooted.
        #########################################################
        reboot
        #########################################################

        Here is the result of getenforce :
        #########################################################
        Permissive
        #########################################################

        I removed the ipa-server that I had and I tried te 3.0.0-42 :
        #########################################################
        yum install ipa-server-3.0.0-42.el6.x86_64
        Loaded plugins: security
        Setting up Install Process
        Resolving Dependencies
        --> Running transaction check
        ---> Package ipa-server.x86_64 0:3.0.0-42.el6 will be installed
        --> Processing Dependency: ipa-client = 3.0.0-42.el6 for package:
        ipa-server-3.0.0-42.el6.x86_64
        --> Processing Dependency: ipa-admintools = 3.0.0-42.el6 for
        package:
        ipa-server-3.0.0-42.el6.x86_64
        --> Processing Dependency: ipa-python = 3.0.0-42.el6 for package:
        ipa-server-3.0.0-42.el6.x86_64
        --> Processing Dependency: ipa-server-selinux = 3.0.0-42.el6 for
        package: ipa-server-3.0.0-42.el6.x86_64
        --> Running transaction check
        ---> Package ipa-admintools.x86_64 0:3.0.0-42.el6 will be installed
        ---> Package ipa-client.x86_64 0:3.0.0-42.el6 will be installed
        ---> Package ipa-python.x86_64 0:3.0.0-42.el6 will be installed
        ---> Package ipa-server-selinux.x86_64 0:3.0.0-42.el6 will be
        installed
        --> Finished Dependency Resolution

        Dependencies Resolved

        
======================================================================================================================================
           Package                               Arch
        Version                            Repository                   Size
        
======================================================================================================================================
        Installing:
           ipa-server                            x86_64
        3.0.0-42.el6                       standard                    1.1 M
        Installing for dependencies:
           ipa-admintools                        x86_64
        3.0.0-42.el6                       standard                     67 k
           ipa-client                            x86_64
        3.0.0-42.el6                       standard                    145 k
           ipa-python                            x86_64
        3.0.0-42.el6                       standard                    928 k
           ipa-server-selinux                    x86_64
        3.0.0-42.el6                       standard                     66 k

        Transaction Summary
        
======================================================================================================================================
        Install       5 Package(s)

        Total download size: 2.3 M
        Installed size: 9.2 M
        Is this ok [y/N]: y
        Downloading Packages:
        (1/5):
        ipa-admintools-3.0.0-42.el6.x86_64.rpm
        |  67 kB     00:00
        (2/5):
        ipa-client-3.0.0-42.el6.x86_64.rpm
        | 145 kB     00:00
        (3/5):
        ipa-python-3.0.0-42.el6.x86_64.rpm
        | 928 kB     00:00
        (4/5):
        ipa-server-3.0.0-42.el6.x86_64.rpm
        | 1.1 MB     00:00
        (5/5):
        ipa-server-selinux-3.0.0-42.el6.x86_64.rpm
        |  66 kB     00:00
        
--------------------------------------------------------------------------------------------------------------------------------------
        Total
        6.8 MB/s | 2.3 MB     00:00
        Running rpm_check_debug
        Running Transaction Test
        Transaction Test Succeeded
        Running Transaction
            Installing :
        ipa-python-3.0.0-42.el6.x86_64
        1/5
            Installing :
        ipa-client-3.0.0-42.el6.x86_64
        2/5
            Installing :
        ipa-admintools-3.0.0-42.el6.x86_64
        3/5
            Installing :
        ipa-server-3.0.0-42.el6.x86_64
        4/5
            Installing :
        ipa-server-selinux-3.0.0-42.el6.x86_64
        5/5
        libsepol.print_missing_requirements: ipa_dogtag's global
        requirements
        were not met: type/attribute pki_ca_t (No such file or directory).
        libsemanage.semanage_link_sandbox: Link packages failed (No such
        file or
        directory).
        semodule:  Failed!
            Verifying  :
        ipa-server-3.0.0-42.el6.x86_64
        1/5
            Verifying  :
        ipa-server-selinux-3.0.0-42.el6.x86_64
        2/5
            Verifying  :
        ipa-python-3.0.0-42.el6.x86_64
        3/5
            Verifying  :
        ipa-client-3.0.0-42.el6.x86_64
        4/5
            Verifying  :
        ipa-admintools-3.0.0-42.el6.x86_64
        5/5

        Installed:
            ipa-server.x86_64 0:3.0.0-42.el6

        Dependency Installed:
            ipa-admintools.x86_64 0:3.0.0-42.el6
          ipa-client.x86_64
        0:3.0.0-42.el6         ipa-python.x86_64 0:3.0.0-42.el6
            ipa-server-selinux.x86_64 0:3.0.0-42.el6

        Complete!
        #########################################################

        The errors linked with dogtag is still there.
        Now, when I tried to run the ipa-server-install command here is
        what I
        have :
        #########################################################
        Continue to configure the system with these values? [no]: yes

        The following operations may take some minutes to complete.
        Please wait until the prompt is returned.

        Configuring NTP daemon (ntpd)
            [1/4]: stopping ntpd
            [2/4]: writing configuration
            [3/4]: configuring ntpd to start on boot
            [4/4]: starting ntpd
        Done configuring NTP daemon (ntpd).
        Configuring directory server for the CA (pkids): Estimated time
        30 seconds
            [1/3]: creating directory server user
            [2/3]: creating directory server instance
            [3/3]: restarting directory server
        Done configuring directory server for the CA (pkids).
        Configuring certificate server (pki-cad): Estimated time 3
        minutes 30
        seconds
            [1/20]: creating certificate server user
            [2/20]: configuring certificate server instance
        ipa         : CRITICAL failed to configure ca instance Command
        '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST
        -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd
        XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA
        -admin_user
        admin -admin_email root@localhost -admin_password XXXXXXXX
        -agent_name
        ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
        -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST
        -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
        XXXXXXXX
        -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
        -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
        -subsystem_name pki-cad -token_name internal
        -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
        -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
        -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM
        -ca_server_cert_subject_name CN=MYHOST,O=MYREALM
        -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM
        -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM
        -external
        false -clone false' returned non-zero exit status 255
        Configuration of CA failed
        #########################################################

        And here is what I found in the ipasrever-install.log :
        #########################################################
        2015-06-01T07:38:43Z DEBUG stderr=Exception: Unable to Send
        Request:java.net <http://java.net>.ConnectException: Connection
        refused
        java.net.ConnectException: Connection refused
                  at java.net.PlainSocketImpl.socketConnect(Native Method)
                  at
        java.net
        
<http://java.net>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
                  at
        java.net
        
<http://java.net>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
                  at
        java.net
        
<http://java.net>.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
                  at
        java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385)
                  at java.net.Socket.connect(Socket.java:546)
                  at java.net.Socket.connect(Socket.java:495)
                  at java.net.Socket.<init>(Socket.java:392)
                  at java.net.Socket.<init>(Socket.java:235)
                  at HTTPClient.sslConnect(HTTPClient.java:326)
                  at ConfigureCA.LoginPanel(ConfigureCA.java:244)
                  at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
                  at ConfigureCA.main(ConfigureCA.java:1672)
        java.lang.NullPointerException
                  at ConfigureCA.LoginPanel(ConfigureCA.java:245)
                  at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
                  at ConfigureCA.main(ConfigureCA.java:1672)

        2015-06-01T07:38:43Z CRITICAL failed to configure ca instance
        Command
        '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname MYHOST
        -cs_port 9445 -client_certdb_dir /tmp/tmp-nbZ4fw -client_certdb_pwd
        XXXXXXXX -preop_pin WJUMtgRhyvooPs1kHhyQ -domain_name IPA
        -admin_user
        admin -admin_email root@localhost -admin_password XXXXXXXX
        -agent_name
        ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
        -agent_cert_subject CN=ipa-ca-agent,O=MYREALM -ldap_host MYHOST
        -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
        XXXXXXXX
        -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
        -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
        -subsystem_name pki-cad -token_name internal
        -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
        -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYREALM
        -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYREALM
        -ca_server_cert_subject_name CN=MYHOST,O=MYREALM
        -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYREALM
        -ca_sign_cert_subject_name CN=Certificate Authority,O=MYREALM
        -external
        false -clone false' returned non-zero exit status 255
        2015-06-01T07:38:43Z INFO   File
        "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
        line 614, in run_script
              return_value = main_function()

            File "/usr/sbin/ipa-server-install", line 942, in main
              subject_base=options.subject)

            File
        "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
        line
        626, in configure_instance
              self.start_creation(runtime=210)

            File
        "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
        line 358, in start_creation
              method()

            File
        "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
        line
        888, in __configure_instance
              raise RuntimeError('Configuration of CA failed')

        2015-06-01T07:38:43Z INFO The ipa-server-install command failed,
        exception: RuntimeError: Configuration of CA failed
        #########################################################

        I'm not really sure permissive mode with SELinux is helping in fact.


    I'd poke around in the CA logs in /var/log/pki-ca. It may be that
    the CA isn't really starting up, or the web app isn't starting.
    There are a lot of red herrings in the logs, and things can cascade,
    so I'd start at the top and work my way down.

    rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to