[Freeipa-users] Installation failed at configuring CA
So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up) - fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd '' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=DOMAIN.COM -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DOMAIN.COM -ca_server_cert_subject_name CN=ipa.domain.com,O=DOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=DOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=DOMAIN.COM -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. -- Matthew Davis RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Thu, 15 Sep 2011 19:55:08 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ameKey Pairs/Name/PanelPanelIdsubjectname/IdNameSubject Names/Name/PanelPanelIdcertrequest/IdNameRequests and Certificates/Name/PanelPanelIdbackupkeys/IdNameExport Keys and Certificates/Name/PanelPanelIdsavepk12/IdNameSave Keys and Certificates/Name/PanelPanelIdimportcachain/IdNameImport CA's Certificate Chain/Name/PanelPanelIdadmin/IdNameAdministrator/Name/PanelPanelIdimportadmincert/IdNameImport Administrator's Certificate/Name/PanelPanelIddone/IdNameDone/Name/Panel/Vector/panelsp17/pnameCA Setup
Re: [Freeipa-users] Installation failed at configuring CA
Matthew Davis wrote: So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up) - fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd '' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=DOMAIN.COM -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DOMAIN.COM -ca_server_cert_subject_name CN=ipa.domain.com,O=DOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=DOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=DOMAIN.COM -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden rcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. -- Matthew Davis ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis matt...@familycampground.org wrote: On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden rcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. Thanks Rob, that did it. Need me to file a bug so this doesn't get lost? -- Matthew Davis http://familycampground.org/matthew/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation failed at configuring CA
Matthew Davis wrote: On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis matt...@familycampground.org wrote: On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittendenrcrit...@redhat.com wrote: Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. Ah, yes, there is a in there and a few other special chars. Thanks. I'll test again w/o them. Thanks Rob, that did it. Need me to file a bug so this doesn't get lost? We have an upstream ticket opened on it if you want to add any details (like what characters were blowing up), https://fedorahosted.org/freeipa/ticket/1636 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users