Re: [Freeipa-users] ipa-server-install fails at DogTag restart
On Wed, Dec 14, 2016 at 05:35:35PM +, Tommy Nikjoo wrote: > Hi, > > I'm trying to install FreeIPA on CentOS 7 using the yum package, but I > keep getting an error when it tries to restart DogTag > > [26/31]: restarting certificate server > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > the Dogtag instance.See the installation log for details. > [27/31]: migrating certificate profiles to LDAP > [error] NetworkError: cannot connect to > 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' > ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect > to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' > ipa.ipapython.install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed. See /var/log/ipaserver-install.log > for more information > > > The log shows the following error > > 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com > 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0 > 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage = > SSL Server > 2016-12-14T16:53:05Z DEBUG cert valid True for > "CN=ldap.example.com,O=EXAMPLE.COM" > 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443 > 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2 > 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > 2016-12-14T16:53:05Z DEBUG response status 200 > 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205', > 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/; > Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server': > 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec > 2016 16:53:05 GMT', 'content-type': 'application/xml'} > 2016-12-14T16:53:05Z DEBUG response body ' encoding="UTF-8" standalone="yes"?> id="ipara">iparaCertificate Manager > AgentsRegistration Manager Agents' > 2016-12-14T16:53:05Z DEBUG request POST > https://ldap.example.com:8443/ca/rest/profiles/raw > 2016-12-14T16:53:05Z DEBUG request body > 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user > certificates with IECUserRoles extension via IPA-RA agent > authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA > Agent-Authenticated Server Certificate > Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject > Name > Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject > Name > Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, > O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity > Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity > Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key > Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key > Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No > Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority > Key Identifier > Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No > Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA > Extension > Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccess
[Freeipa-users] ipa-server-install fails at DogTag restart
Hi, I'm trying to install FreeIPA on CentOS 7 using the yum package, but I keep getting an error when it tries to restart DogTag [26/31]: restarting certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [27/31]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' ipa.ipapython.install.cli.install_tool(Server): ERRORcannot connect to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': '' ipa.ipapython.install.cli.install_tool(Server): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The log shows the following error 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-12-14T16:53:05Z DEBUG cert valid True for "CN=ldap.example.com,O=EXAMPLE.COM" 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA 2016-12-14T16:53:05Z DEBUG response status 200 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205', 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/; Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec 2016 16:53:05 GMT', 'content-type': 'application/xml'} 2016-12-14T16:53:05Z DEBUG response body 'iparaCertificate Manager AgentsRegistration Manager Agents' 2016-12-14T16:53:05Z DEBUG request POST https://ldap.example.com:8443/ca/rest/profiles/raw 2016-12-14T16:53:05Z DEBUG request body 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user certificates with IECUserRoles extension via IPA-RA agent authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA Agent-Authenticated Server Certificate Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject Name Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject Name Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority Key Identifier Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA Extension Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicy