On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders --setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
[Errno 111]
Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain
to RA
certificate database
2016-05-25T12:38:31Z DEBUG Traceback (most recent call
last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1015, in __import_ca_chain
chain = self.__get_ca_chain()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s"
% str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111]
Connection refused
2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable
to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in
execute
what might be the problem?
It is failing getting the CA chain from dogtag. It uses
port 8080 by default. I'd check your firewall and that the
remote CA is up.
thanks Rob,
I opened 8080/tcp (it was closed) but still a failure I get,
different error though:
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed
to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
the installation logs and the following files/directories
for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-05-25T14:12:21Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
I
nsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is s
trongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : ERROR ....... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs and
the following files/directories for mor
e information:
can I ask a question? - my nss.conf is pretty plain-vanilla,
uses :443 - why does installer complain about it being used
and I have to change the port for installer to start?
I'm surprised the port checker didn't discover this if it
is a firewall issue and that would be a bug (either the
port not being checked or not using the proxy).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
