Markus Roth wrote: > Am Freitag, den 08.01.2016, 13:25 +0100 schrieb Martin Babinsky: >> On 01/08/2016 01:06 PM, Markus Roth wrote: >>> Hi all, >>> >>> I tried to install freeipa server (freeipa-server.armv7hl >>> 4.2.3-1.1.fc23), but the installation failed. >>> >>> ----------------------------------------------------- >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv). Estimated time: 1 minute >>> [1/43]: creating directory server user >>> [2/43]: creating directory server instance >>> [3/43]: adding default schema >>> [4/43]: enabling memberof plugin >>> [5/43]: enabling winsync plugin >>> [6/43]: configuring replication version plugin >>> [7/43]: enabling IPA enrollment plugin >>> [8/43]: enabling ldapi >>> [9/43]: configuring uniqueness plugin >>> [10/43]: configuring uuid plugin >>> [11/43]: configuring modrdn plugin >>> [12/43]: configuring DNS plugin >>> [13/43]: enabling entryUSN plugin >>> [14/43]: configuring lockout plugin >>> [15/43]: creating indices >>> [16/43]: enabling referential integrity plugin >>> [17/43]: configuring certmap.conf >>> [18/43]: configure autobind for root >>> [19/43]: configure new location for managed entries >>> [20/43]: configure dirsrv ccache >>> [21/43]: enable SASL mapping fallback >>> [22/43]: restarting directory server >>> [23/43]: adding default layout >>> [24/43]: adding delegation layout >>> [25/43]: creating container for managed entries >>> [26/43]: configuring user private groups >>> [27/43]: configuring netgroups from hostgroups >>> [28/43]: creating default Sudo bind user >>> [29/43]: creating default Auto Member layout >>> [30/43]: adding range check plugin >>> [31/43]: creating default HBAC rule allow_all >>> [32/43]: creating default CA ACL rule >>> [33/43]: adding entries for topology management >>> [34/43]: initializing group membership >>> [35/43]: adding master entry >>> [36/43]: initializing domain level >>> [37/43]: configuring Posix uid/gid generation >>> [38/43]: adding replication acis >>> [39/43]: enabling compatibility plugin >>> [40/43]: activating sidgen plugin >>> [41/43]: activating extdom plugin >>> [42/43]: tuning directory server >>> [43/43]: configuring directory to start on boot >>> Done configuring directory server (dirsrv). >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>> minutes >>> 30 seconds >>> [1/25]: creating certificate server user >>> [2/25]: configuring certificate server instance >>> [3/25]: stopping certificate server instance to update CS.cfg >>> [4/25]: backing up CS.cfg >>> [5/25]: disabling nonces >>> [6/25]: set up CRL publishing >>> [7/25]: enable PKIX certificate path discovery and validation >>> [8/25]: starting certificate server instance >>> [9/25]: creating RA agent certificate database >>> [10/25]: importing CA chain to RA certificate database >>> [11/25]: fixing RA database permissions >>> [12/25]: setting up signing cert profile >>> [13/25]: setting audit signing renewal to 2 years >>> [14/25]: restarting certificate server >>> [15/25]: requesting RA certificate from CA >>> [16/25]: issuing RA agent certificate >>> [17/25]: adding RA agent as a trusted user >>> [18/25]: authorizing RA to modify profiles >>> [19/25]: configure certmonger for renewals >>> [20/25]: configure certificate renewals >>> [21/25]: configure RA certificate renewal >>> [22/25]: configure Server-Cert certificate renewal >>> [23/25]: Configure HTTP to proxy connections >>> [24/25]: restarting certificate server >>> [25/25]: Importing IPA certificate profiles >>> Done configuring certificate server (pki-tomcatd). >>> Configuring directory server (dirsrv). Estimated time: 10 seconds >>> [1/3]: configuring ssl for ds instance >>> [error] RuntimeError: Certificate issuance failed >>> ipa.ipapython.install.cli.install_tool(Server): >>> ERROR Certificate >>> issuance failed >>> >>> ----------------------------------------------- >>> >>> The last messages in the log file (/var/log/ipaserver-install.log): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>> line >>> 637, in __enable_ssl >>> self.nickname, self.fqdn, cadb) >>> File "/usr/lib/python2.7/site- >>> packages/ipaserver/install/certs.py", >>> line 337, in create_server_cert >>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>> File "/usr/lib/python2.7/site- >>> packages/ipaserver/install/certs.py", >>> line 419, in issue_server_cert >>> raise RuntimeError("Certificate issuance failed") >>> >>> 2016-01-08T09:33:47Z DEBUG The ipa-server-install command failed, >>> exception: RuntimeError: Certificate issuance failed >>> 2016-01-08T09:33:47Z ERROR Certificate issuance failed >>> >>> any ideas about this error? >>> >>> Markus >>> >>> >> >> Sounds similar to https://fedorahosted.org/freeipa/ticket/5376, but I >> >> can not be sure without seeing installation log >> (/var/log/ipaserver-install.log). >> >> As a workaround, you can try to re-run the installation in verbose >> mode >> using '-v' option and see if it succeeds. Be prepared for a lot of >> garbage spouted on the output, though. >> > Hi Martin, > > did an setup with fedora 22 and freeipa-server.armv7hl 4.1.4-4.fc22 > > The setup completed successfully. The only change I did was, change the > startup_timeout variable to 900 in /usr/lib/python2.7/site- > packages/ipalib/constants.py, because the hardware (banana pi) isn't > fast enough for the certification generation process. > > So it must be an bug in freeipa-server.armv7hl 4.2.3-1.1.fc23.
/var/log/ipaserver-install.log from the failed install would be helpful. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project