Re: [Freeipa-users] ipa-server-install fails at DogTag restart
On Wed, Dec 14, 2016 at 05:35:35PM +, Tommy Nikjoo wrote:
> Hi,
>
> I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
> keep getting an error when it tries to restart DogTag
>
> [26/31]: restarting certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
> [27/31]: migrating certificate profiles to LDAP
> [error] NetworkError: cannot connect to
> 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect
> to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe
> ipa-server-install command failed. See /var/log/ipaserver-install.log
> for more information
>
>
> The log shows the following error
>
> 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
> 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
> 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
> SSL Server
> 2016-12-14T16:53:05Z DEBUG cert valid True for
> "CN=ldap.example.com,O=EXAMPLE.COM"
> 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
> 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
> 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> 2016-12-14T16:53:05Z DEBUG response status 200
> 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
> 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
> Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
> 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
> 2016 16:53:05 GMT', 'content-type': 'application/xml'}
> 2016-12-14T16:53:05Z DEBUG response body ' encoding="UTF-8" standalone="yes"?> id="ipara">iparaCertificate Manager
> AgentsRegistration Manager Agents'
> 2016-12-14T16:53:05Z DEBUG request POST
> https://ldap.example.com:8443/ca/rest/profiles/raw
> 2016-12-14T16:53:05Z DEBUG request body
> 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
> certificates with IECUserRoles extension via IPA-RA agent
> authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
> Agent-Authenticated Server Certificate
> Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
> Name
> Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
> Name
> Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
> Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
> Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
> Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
> Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
> Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
> Key Identifier
> Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
> Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
> Extension
>
[Freeipa-users] ipa-server-install fails at DogTag restart
Hi,
I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
keep getting an error when it tries to restart DogTag
[26/31]: restarting certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
the Dogtag instance.See the installation log for details.
[27/31]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to
'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect
to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
ipa.ipapython.install.cli.install_tool(Server): ERRORThe
ipa-server-install command failed. See /var/log/ipaserver-install.log
for more information
The log shows the following error
2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
SSL Server
2016-12-14T16:53:05Z DEBUG cert valid True for
"CN=ldap.example.com,O=EXAMPLE.COM"
2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2016-12-14T16:53:05Z DEBUG response status 200
2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
2016 16:53:05 GMT', 'content-type': 'application/xml'}
2016-12-14T16:53:05Z DEBUG response body 'iparaCertificate Manager
AgentsRegistration Manager Agents'
2016-12-14T16:53:05Z DEBUG request POST
https://ldap.example.com:8443/ca/rest/profiles/raw
2016-12-14T16:53:05Z DEBUG request body
'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
certificates with IECUserRoles extension via IPA-RA agent
authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
Agent-Authenticated Server Certificate
Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
Name
Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
Name
Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
Key Identifier
Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
Extension
Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key
Usage Extension
