On 28.11.2015 00:14, Rob Crittenden wrote:
Martin Štefany wrote:
Hello,

I remember experiencing this, but I'm not sure of solution. I think it's
related to apache (httpd) and his group.

My notes for IPA installation on CentOS 7.x say:

# groupadd -g 48 apache
# yum -y install ipa-server bind bind-dyndb-ldap
# usermod -g apache apache
# ipa-server-install...

CentOS is somehow not creating group apache for apache user and then
assuming root which is then causing problems with apache later. Pre-
creating such group before installing httpd and then usermod-ing user
apache might solve it.

Did you get any warnings while running:
# yum install -y ipa-server bind bind-dyndb-ldap ?


If possible, try installation from scratch with my notes on fresh
system. If not:

# systemctl stop apache   # if it runs
# groupadd -g 48 apache   # I use 48 as apache's UID tends to be also
48, or use 'groupadd -r apache' instead
# usermod -g apache apache
# ipa-server-install...

Sounds unlikely to me. If indeed it did happen you'd need to file a bug
against Apache to create its own uid/gid, which I'm pretty certain it
already does.

In any case, dogtag doesn't run in Apache so it would be unlikely to
blow up in the CA installer.

cating the contents of a directory into one log is not at all helpful,
especially given that you missed all the important bits in the
subdirectories beneath it. This is just a mishmash of stuff. We need to
see /var/log/pki/pki-tomcat/ca/debug.

/var/log/ipaserver-install.log might also be useful to see though it
probably just records in a more verbose way the fact that pkispawn failed.

rob

Hello,

I see in log this error message:

2015-11-26 08:41:53 pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '272326334956', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=CA&list=caList&host=ipa.home&sport=443&ncsport=8443&adminsport=8443&agentsport=8443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'ipa.home:443']' returned non-zero exit status 6!

It means that the CA has no been sucessfully uninstalled, and it can cause issues during installation
PKI bug:
https://fedorahosted.org/pki/ticket/1704

Christian may have workaround (CCed)
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to