On 25/05/16 16:46, Rob Crittenden wrote:
but will it all not brake precisely because I have to change
port? I then take a glance and see https:/// only and
installer it not take that port into account, so how will
whole IPA work if nss listens on non-standard port?
On 25/05/16 14:19, Rob Crittenden wrote:
I'm trying to set up a replica with: --setup-dns
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
more from log:
2016-05-25T12:38:31Z DEBUG [10/23]: importing CA
chain to RA
2016-05-25T12:38:31Z DEBUG Traceback (most recent call
line 418, in start_creation
line 408, in run_step
1015, in __import_ca_chain
chain = self.__get_ca_chain()
997, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain:
%s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111]
2016-05-25T12:38:31Z DEBUG [error] RuntimeError:
Unable to retrieve CA
chain: [Errno 111] Connection refused
2016-05-25T12:38:31Z DEBUG File
line 171, in
what might be the problem?
It is failing getting the CA chain from dogtag. It uses
port 8080 by
default. I'd check your firewall and that the remote CA
I opened 8080/tcp (it was closed) but still a failure I
[2/23]: configuring certificate server instance
configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
'/tmp/tmpY2oGh1'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See
installation logs and the following files/directories for
[error] RuntimeError: CA configuration failed.
I noticed - /var/log/pki-ca-install.log does NOT exist
and log file:
Storing deployment configuration into
nsecureRequestWarning: Unverified HTTPS request is being
certificate verification is s
trongly advised. See:
pkispawn : ERROR ....... server failed to restart
2016-05-25T14:12:21Z CRITICAL Failed to configure CA
''/usr/sbin/pkispawn' '-s' '
CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1
2016-05-25T14:12:21Z CRITICAL See the installation logs
following files/directories for mor
You need to look in those files/directories for more
details. Dogtag doesn't return much on failures and we
display what we have but all the real meat is in those logs.
can I ask a question? - my nss.conf is pretty
plain-vanilla, uses :443 -
why does installer complain about it being used and I
have to change the
port for installer to start?
Because there is no easy way to determine what is using
that port. If it is mod_ssl or some other web server
instead then things go sideways pretty fast.
I'm surprised the port checker didn't discover this if
it is a
firewall issue and that would be a bug (either the port
checked or not using the proxy).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project