Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 663344 - ipa-server-install fails on importing CA chain to RA certificate database.
Summary: ipa-server-install fails on importing CA chain to RA certificate database.
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: ipa
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-15 13:48 UTC by Gowrishankar Rajaiyan
Modified: 2010-12-15 14:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-15 14:08:31 UTC
Type: ---


Attachments (Terms of Use)
ipaserver-install.log (145.72 KB, text/plain)
2010-12-15 13:52 UTC, Gowrishankar Rajaiyan
no flags Details

Description Gowrishankar Rajaiyan 2010-12-15 13:48:54 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-1.91-0.2010121421gitcec6703.fc14.x86_64
389-ds-base-1.2.7.4-1.fc14.x86_64
pki-ca-1.3.6-1.fc14.noarch

How reproducible:
Always

Steps to Reproduce:
1. Run ipa-server-install (command used "ipa-server-install  --hostname=gsrf14ipas.lab.eng.pnq.redhat.com -r LAB.ENG.PNQ.REDHAT.COM -n lab.eng.pnq.redhat.com -p Secret123 -P Secret123 -a Secret123 -u admin -U --no-ntp")
2. 
3.
  
Actual results:
# ipa-server-install  --hostname=gsrf14ipas.lab.eng.pnq.redhat.com -r LAB.ENG.PNQ.REDHAT.COM -n lab.eng.pnq.redhat.com -p Secret123 -P Secret123 -a Secret123 -u admin -U --no-ntp

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

Excluded by options:
  * Configure the Network Time Daemon (ntpd)

To accept the default shown in brackets, press the Enter key.

The IPA Master Server will be configured with
Hostname:    gsrf14ipas.lab.eng.pnq.redhat.com
IP address:  10.65.201.180
Domain name: lab.eng.pnq.redhat.com

Configuring directory server for the CA: Estimated time 30 minutes
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 36 minutes
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: restarting certificate server
  [4/16]: configuring certificate server instance
  [5/16]: restarting certificate server
  [6/16]: creating CA agent PKCS#12 file in /root
  [7/16]: creating RA agent certificate database
  [8/16]: importing CA chain to RA certificate database
Unexpected error - see ipaserver-install.log for details:
 Unable to retrieve CA chain: request failed with HTTP status 500


Expected results:
Successful setup of IPA with no error messages.


Additional info:

Comment 1 Gowrishankar Rajaiyan 2010-12-15 13:52:32 UTC
Created attachment 468861 [details]
ipaserver-install.log

Comment 2 Simo Sorce 2010-12-15 14:08:31 UTC
This is the cause:
https://fedorahosted.org/freeipa/ticket/320

You will find instructions on how to fix it temporarily until dogtag is fixed in F14.


Note You need to log in before you can comment on or make changes to this bug.