On Wed, Mar 15, 2017 at 06:32:42PM -0400, Chris Dagdigian wrote: > > Any tips for diving into this a bit more to troubleshoot? > > For the 1st time I'm setting up an ipa-server 4.4 replica with CA features > enabled but the replica install seems to hang forever here: > > ... > ... > ... > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > > < no output after this > > > > The replica-install.log file ends here: > > ... > ... > ... > 2017-03-15T22:16:05Z DEBUG Starting external process > 2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active > email@example.com > 2017-03-15T22:16:05Z DEBUG Process finished, return code=0 > 2017-03-15T22:16:05Z DEBUG stdout=active > > 2017-03-15T22:16:05Z DEBUG stderr= > 2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-03-15T22:16:06Z DEBUG Waiting until the CA is running > 2017-03-15T22:16:06Z DEBUG request POST > http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus > 2017-03-15T22:16:06Z DEBUG request body '' > > > > > I've confirmed that SELINUX is disabled, there is no firewall and the AWS > Security Groups are allowing TCP:8080 and TCP:8443 to the replica instance. > The systemctl command also verifies that > firstname.lastname@example.org is "active" as well. > > > Any tips for debugging further? > Could you please provide the /var/log/pki/pki-tomcat/ca/debug log file?
Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project