freeipa-server is still quite broken on Ubuntu I believe. It should install fine, but certmonger can not renew the CA successfully, as nss on Debian/Ubuntu is missing nss-pem, so it can't read certificate files. I wrote about this in a thread titled "Dogtag certs did not auto-renew, very stuck!".
I'd recommend running the server on a Redhat derivative for the foreseeable future. On 01/05/17 13:18, Robert L. Harris wrote: > > Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and > some base packages which does include freeipa-client. When I do an > apt-get install on freeipa-server it runs along happily until I find this: > > . > ... > Setting up pki-server (10.2.6+git20160317-1) ... > Job for pki-tomcatd.service failed because the control process exited > with error code. See "systemctl status pki-tomcatd.service" and > "journalctl -xe" for details. > invoke-rc.d: initscript pki-tomcatd, action "start" failed. > * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time > Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled) > Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 > MDT; 3ms ago > Docs: man:systemd-sysv-generator(8) > Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, > status=5) > > Apr 30 20:38:29 ipa systemd: Starting LSB: Start pki-tomcatd at > boot time... > Apr 30 20:38:29 ipa pki-tomcatd: ERROR: No 'tomcat' instances > installed! > ... because no CA instance has been configured yet. > pki-tomcatd-nuxwdog.target is a disabled or a static unit, not > starting it. > pki-tomcatd.target is a disabled or a static unit, not starting it. > Setting up pki-ca (10.2.6+git20160317-1) ... > ... > . > > > I have been googling but can't find a relevant fix that resolves this. > Any ideas? > > Robert > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project