Re: [Freeipa-users] Cant setup replica (freeipa 4.1.3), problem with pki

Wed, 07 Oct 2015 07:30:28 -0700 

Łukasz Jaworski wrote:
> Hi,
> 
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
> 
> environment:
> Fedora 21
> 
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> pki-server-10.2.0-5.fc21.noarch
> 
> same on server and replicas
> 
> 
> Output from ipa-replica-install:
> (…)
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 
> seconds
>   [1/22]: creating certificate server user  
>   [2/22]: configuring certificate server instance
>   [3/22]: stopping certificate server instance to update CS.cfg
>   [4/22]: backing up CS.cfg
>   [5/22]: disabling nonces
>   [6/22]: set up CRL publishing
>   [7/22]: enable PKIX certificate path discovery and validation
>   [8/22]: starting certificate server instance
>   [error] RuntimeError: CA did not start in 300.0s
> 
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
>>From /var/log/ipareplica.log
> 2015-10-07T06:25:58Z DEBUG The CA status is: check interrupted
> 2015-10-07T06:25:58Z DEBUG Waiting for CA to start...
> 2015-10-07T06:25:59Z DEBUG Starting external process
> 2015-10-07T06:25:59Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
> '--no-check-certificate' 'https://182.example.com:8443/ca/admin/c
> a/getStatus'
> 2015-10-07T06:25:59Z DEBUG Process finished, return code=8
> 2015-10-07T06:25:59Z DEBUG stdout=
> 2015-10-07T06:25:59Z DEBUG stderr=--2015-10-07 08:25:59--  
> https://182.example.com:8443/ca/admin/ca/getStatus
> Resolving 182.example.com (182.example.com)... xx.xx.xx.xx
> Connecting to 182.example.com (182.example.com)|xx.xx.xx.xx|:8443... 
> connected.
> WARNING: cannot verify 182.example.com's certificate, issued by 
> ‘CN=Certificate Authority,O=ecample.com’:
>   Self-signed certificate encountered.
> HTTP request sent, awaiting response... 
>   HTTP/1.1 500 Internal Server Error
>   Server: Apache-Coyote/1.1
>   Content-Type: text/html;charset=utf-8
>   Content-Language: en
>   Content-Length: 2923
>   Date: Wed, 07 Oct 2015 06:25:59 GMT
>   Connection: close
> 2015-10-07 08:25:59 ERROR 500: Internal Server Error.
> 
> Any idea?
> 

You'll need to check the dogtag logs for errors. Start with
/var/log/pki/pki-tomcat/ca/debug

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to