Re: [Freeipa-users] Failed installation
On 10/18/2012 10:46 AM, Rob Crittenden wrote: Rob Crittenden wrote: Bret Wortman wrote: Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. In order to diagnose why dogtag is failing to install we need to see the logs from /var/log/pki-ca and the full /var/log/ipaserver-install.log. You can send them directly to me or Martin if you'd prefer. To close the loop on this, I had Bret yum reinstall the pki-selinux package. For some reason sometimes it fails to load the required SELinux contents on install. Is there any way to make it more reliable? Doing that has resolved the installation issue. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
On Fri, 2012-10-19 at 14:26 -0400, Dmitri Pal wrote: On 10/18/2012 10:46 AM, Rob Crittenden wrote: Rob Crittenden wrote: Bret Wortman wrote: Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. In order to diagnose why dogtag is failing to install we need to see the logs from /var/log/pki-ca and the full /var/log/ipaserver-install.log. You can send them directly to me or Martin if you'd prefer. To close the loop on this, I had Bret yum reinstall the pki-selinux package. For some reason sometimes it fails to load the required SELinux contents on install. Is there any way to make it more reliable? The dogtag selinux policy is being merged into the system policy. This should remove the issue completely in future Fedora versions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
Hello Bret, This may be a long shot, but when I sometimes hit this kind of errors when CA installation crashed and there is still some remaining CA configuration (in /var/lib/pki-ca). I usually fix this with standard ipa-server-install --uninstall -U and then running this command: /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force HTH, Martin On 10/18/2012 12:26 AM, Bret Wortman wrote: I think I have SELinux turned off but will double-check in the morning. And reply to the list -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Wednesday, October 17, 2012 at 3:17 PM, Rob Crittenden wrote: Bret Wortman wrote: Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should I look next? See if there are any SELinux denials: ausearch -m AVC It looks like tomcat failed to start. The logs are in /var/log/pki-ca. rob On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject___name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WE__DGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert___subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: ##__### Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ##__##__### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net http://java.net.__ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.__socketConnect(Native Method) at java.net http://java.net.__AbstractPlainSocketImpl.__doConnect(__AbstractPlainSocketImpl.java:__339) at java.net http://java.net.__AbstractPlainSocketImpl.__connectToAddress(__AbstractPlainSocketImpl.java:__200) at java.net http://java.net.__AbstractPlainSocketImpl.__connect(__AbstractPlainSocketImpl.java:__182) at java.net.SocksSocketImpl.__connect(SocksSocketImpl.java:__391) at java.net.Socket.connect(__Socket.java:579) at java.net.Socket.connect(__Socket.java:528) at java.net.Socket.init(Socket.__java:425) at java.net.Socket.init(Socket.__java:241) at HTTPClient.sslConnect(__HTTPClient.java:326) at ConfigureCA.LoginPanel(__ConfigureCA.java:244) at ConfigureCA.__ConfigureCAInstance(__ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.__java:1672) java.lang.NullPointerException at
Re: [Freeipa-users] Failed installation
On 10/18/2012 01:23 PM, Bret Wortman wrote: Tomcat is definitely not running and there's no log in /var/log/pki-ca. SELinux is disabled and not running. The same RPMs are installed on both my functioning and nonfunctioning system, at least as far as # rpm -qa | grep tomcat | sort revealed. I also followed Martin's suggestion to clean out the CA configuration, but that command seems to indicate that there wasn't any existing configuration: [root@fs1 ~]# /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... PKI instance Deletion Utility cleaning up instance ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Removing selinux contexts Actually, I think that the pkiremove utility removed the leftover CA. If the CA was not there, the output should look like that: # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... [error] /usr/bin/pkiremove: Target directory /var/lib/pki-ca is not a legal directory. ... Can you try running the server install again? So that we can see if the CA cleanup helped? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. On Thu, Oct 18, 2012 at 7:28 AM, Martin Kosek mko...@redhat.com wrote: On 10/18/2012 01:23 PM, Bret Wortman wrote: Tomcat is definitely not running and there's no log in /var/log/pki-ca. SELinux is disabled and not running. The same RPMs are installed on both my functioning and nonfunctioning system, at least as far as # rpm -qa | grep tomcat | sort revealed. I also followed Martin's suggestion to clean out the CA configuration, but that command seems to indicate that there wasn't any existing configuration: [root@fs1 ~]# /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... PKI instance Deletion Utility cleaning up instance ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Removing selinux contexts Actually, I think that the pkiremove utility removed the leftover CA. If the CA was not there, the output should look like that: # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... [error] /usr/bin/pkiremove: Target directory /var/lib/pki-ca is not a legal directory. ... Can you try running the server install again? So that we can see if the CA cleanup helped? Martin -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
Bret Wortman wrote: Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. In order to diagnose why dogtag is failing to install we need to see the logs from /var/log/pki-ca and the full /var/log/ipaserver-install.log. You can send them directly to me or Martin if you'd prefer. rob On Thu, Oct 18, 2012 at 7:28 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 10/18/2012 01:23 PM, Bret Wortman wrote: Tomcat is definitely not running and there's no log in /var/log/pki-ca. SELinux is disabled and not running. The same RPMs are installed on both my functioning and nonfunctioning system, at least as far as # rpm -qa | grep tomcat | sort revealed. I also followed Martin's suggestion to clean out the CA configuration, but that command seems to indicate that there wasn't any existing configuration: [root@fs1 ~]# /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... PKI instance Deletion Utility cleaning up instance ... No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Removing selinux contexts Actually, I think that the pkiremove utility removed the leftover CA. If the CA was not there, the output should look like that: # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force PKI instance Deletion Utility ... [error] /usr/bin/pkiremove: Target directory /var/lib/pki-ca is not a legal directory. ... Can you try running the server install again? So that we can see if the CA cleanup helped? Martin -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
Rob Crittenden wrote: Bret Wortman wrote: Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. In order to diagnose why dogtag is failing to install we need to see the logs from /var/log/pki-ca and the full /var/log/ipaserver-install.log. You can send them directly to me or Martin if you'd prefer. To close the loop on this, I had Bret yum reinstall the pki-selinux package. For some reason sometimes it fails to load the required SELinux contents on install. Doing that has resolved the installation issue. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Failed installation
I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me-cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WEDGEOFLI.ME-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O= WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me,O=WEDGEOFLI.ME-ca_audit_signing_cert_subject_name CN=CA Audit,O= WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O= WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: # Attempting to connect to: fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at java.net.Socket.init(Socket.java:425) at java.net.Socket.init(Socket.java:241) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) Now I seem to be stuck. I tried uninstalling the freeipa-server package with # yum remove freeipa-server and then reinstalled it the same way, but ipa-server-install won't run no matter what I attempt. Any thoughts? I'm pretty new to IPA. Thanks! -- Bret Wortman The Damascus Group Fairfax, VA ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert_subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: # Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at java.net.Socket.init(Socket.java:425) at java.net.Socket.init(Socket.java:241) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) Now I seem to be stuck. I tried uninstalling the freeipa-server package with # yum remove freeipa-server and then reinstalled it the same way, but ipa-server-install won't run no matter what I attempt. Any thoughts? I'm pretty new to IPA. Make sure you have packages installed Run the uninstall command several times (5 for example) ipa-server-install --uninstall -U In case of failed installation and other steps you made the installtion might be in the corrupted state. Running severl times might help as it might detect and remove/unconfigure different things at different moments. Before trying to reinstall again make sure you have latest SELinux policies. If it explodes again let us know. Thanks! -- Bret Wortman The Damascus Group Fairfax, VA ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert_subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: # Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at java.net.Socket.init(Socket.java:425) at java.net.Socket.init(Socket.java:241) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) Now I seem to be stuck. I tried uninstalling the freeipa-server package with # yum remove freeipa-server and then reinstalled it the same way, but ipa-server-install won't run no matter what I attempt. Any thoughts? I'm pretty new to IPA. There is a good chance this is due to a version mismatch between the IPA packages and the dogtag packages. You didn't mention which OS you're using nor the versions of the relevant packages, that would have been helpful. In any event I would make sure all your packages are up to date. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should I look next? On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.comwrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden...@redhat.com wrote: On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_**name CN=CA Subsystem,O= WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WE**DGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert_**subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: ##**### Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ##**##** ### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net.**ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.**socketConnect(Native Method) at java.net.**AbstractPlainSocketImpl.**doConnect(** AbstractPlainSocketImpl.java:**339) at java.net.**AbstractPlainSocketImpl.**connectToAddress(** AbstractPlainSocketImpl.java:**200) at java.net.**AbstractPlainSocketImpl.**connect(** AbstractPlainSocketImpl.java:**182) at java.net.SocksSocketImpl.**connect(SocksSocketImpl.java:**391) at java.net.Socket.connect(**Socket.java:579) at java.net.Socket.connect(**Socket.java:528) at java.net.Socket.init(Socket.**java:425) at java.net.Socket.init(Socket.**java:241) at HTTPClient.sslConnect(**HTTPClient.java:326) at ConfigureCA.LoginPanel(**ConfigureCA.java:244) at ConfigureCA.**ConfigureCAInstance(**ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.**java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(**ConfigureCA.java:245) at ConfigureCA.**ConfigureCAInstance(**ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.**java:1672) Now I seem to be stuck. I tried uninstalling the freeipa-server package with # yum remove freeipa-server and then reinstalled it the same way, but ipa-server-install won't run no matter what I attempt. Any thoughts? I'm pretty new to IPA. There is a good chance this is due to a version mismatch between the IPA packages and the dogtag packages. You didn't mention which OS you're using nor the versions of the relevant packages, that would have been helpful. In any event I would make sure all your packages are up to date. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
On 10/17/2012 02:31 PM, Bret Wortman wrote: Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should I look next? You cert system component failed to start because its DS instance failed to start. Did the install fail again after cleanup? If not it is better to start over with cleanup and if the install fails we will help you to troubleshoot. On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert_subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: # Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net http://java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net http://java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net http://java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net http://java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at
Re: [Freeipa-users] Failed installation
Bret Wortman wrote: Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should I look next? See if there are any SELinux denials: ausearch -m AVC It looks like tomcat failed to start. The logs are in /var/log/pki-ca. rob On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject___name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WE__DGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert___subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: ##__### Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ##__##__### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net http://java.net.__ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.__socketConnect(Native Method) at java.net http://java.net.__AbstractPlainSocketImpl.__doConnect(__AbstractPlainSocketImpl.java:__339) at java.net http://java.net.__AbstractPlainSocketImpl.__connectToAddress(__AbstractPlainSocketImpl.java:__200) at java.net http://java.net.__AbstractPlainSocketImpl.__connect(__AbstractPlainSocketImpl.java:__182) at java.net.SocksSocketImpl.__connect(SocksSocketImpl.java:__391) at java.net.Socket.connect(__Socket.java:579) at java.net.Socket.connect(__Socket.java:528) at java.net.Socket.init(Socket.__java:425) at java.net.Socket.init(Socket.__java:241) at HTTPClient.sslConnect(__HTTPClient.java:326) at
Re: [Freeipa-users] Failed installation
I think I have SELinux turned off but will double-check in the morning. And reply to the list -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Wednesday, October 17, 2012 at 3:17 PM, Rob Crittenden wrote: Bret Wortman wrote: Now it appears that whatever is supposed to be running on port 9445 (looks like mindarray-ca) isn't running, and I'm not sure how it gets started, exactly. I ran lsof -i:9445 on this server and on a FreeIPA test box I first set up, and it's running on the test box but not the new one. Where should I look next? See if there are any SELinux denials: ausearch -m AVC It looks like tomcat failed to start. The logs are in /var/log/pki-ca. rob On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2012 12:40 PM, Bret Wortman wrote: I recently tried installing freeipa on a new server, but ipa-server-install had problems around this point: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -cs_port 9445 -client_certdb_dir /tmp/tmp-UvBMbL -client_certdb_pwd -preop_pin HHxKHUz5RRfzQ3OkFMlR -domain_name IPA -admin_user admin -admin_email root@localhost -admin_ -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ldap_host fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me -ldap_port 7389 -bind_dn cn=Directory Manager -bind_ -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject___name CN=CA Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_server_cert_subject_name CN=fs1.wedgeofli.me http://fs1.wedgeofli.me http://fs1.wedgeofli.me,O=WE__DGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_audit_signing_cert___subject_name CN=CA Audit,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -ca_sign_cert_subject_name CN=Certificate Authority,O=WEDGEOFLI.ME http://WEDGEOFLI.ME http://WEDGEOFLI.ME -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@fs1 ~]# The logfile revealed the following stack trace: ##__### Attempting to connect to: fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 http://fs1.wedgeofli.me:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ##__##__### 2012-10-17T16:24:53Z DEBUG stderr=Exception: Unable to Send Request:java.net http://java.net.__ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.__socketConnect(Native Method) at java.net http://java.net.__AbstractPlainSocketImpl.__doConnect(__AbstractPlainSocketImpl.java:__339) at java.net http://java.net.__AbstractPlainSocketImpl.__connectToAddress(__AbstractPlainSocketImpl.java:__200) at java.net http://java.net.__AbstractPlainSocketImpl.__connect(__AbstractPlainSocketImpl.java:__182) at java.net.SocksSocketImpl.__connect(SocksSocketImpl.java:__391) at java.net.Socket.connect(__Socket.java:579) at java.net.Socket.connect(__Socket.java:528) at java.net.Socket.init(Socket.__java:425) at java.net.Socket.init(Socket.__java:241) at HTTPClient.sslConnect(__HTTPClient.java:326) at ConfigureCA.LoginPanel(__ConfigureCA.java:244) at ConfigureCA.__ConfigureCAInstance(__ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.__java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(__ConfigureCA.java:245) at ConfigureCA.__ConfigureCAInstance(__ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.__java:1672) Now I seem to be stuck. I tried uninstalling the freeipa-server package with # yum remove freeipa-server and then reinstalled it the same way, but