Hide Forgot
Description of problem: I was trying to install freeipa. The freeipa installer calls pkisilent. pkisilent failed when a link local IPv6 address was configured on eth0. In this case, the installed pki daemons (eg port 9445) only opened IPv6 listening sockets, no IPv4 sockets. This machine is IPv4 exclusively, its host name resolves to an IPv4 address only. Version-Release number of selected component (if applicable): pki-silent-9.0.15-1.fc16 How reproducible: always Steps to Reproduce: 1. as part of ipa-server-install, the following command is executed: /usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'server.xxxxx.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-HxuF_T' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'rgN1Coi9yfnvOUlxsUUw' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=AXSEM.COM' '-ldap_host' server.xxxxx.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=XXXXX.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=XXXXX.COM' '-ca_server_cert_subject_name' 'CN=axextserver1.hq.axsem.com,O=XXXXX.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=XXXXX.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=XXXXX.COM' '-external' 'false' '-clone' 'false' Actual results: exit status 255 Expected results: exit status 0 Additional info: Removing the link local IPv6 address made it work for me.
Need more info please. Please provide the /etc/hosts or other configuration for the failing case. Also please provide the dogtag logs so we try to understand what is going on. tar cvzf ca.logs.tar.gz /var/log/pki-ca/* also provide /var/log/pki-ca-install.log Thanks.
We need to get more information to be able to reproduce this issue. Please provide the information requested in comment#1.
Since no further information was obtained, the following test was run: # hostname server.example.com # uname -a Linux server.example.com 3.4.9-2.fc16.x86_64 #1 SMP Thu Aug 23 17:51:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/fedora-release Fedora release 16 (Verne) # ifconfig em1 Link encap:Ethernet HWaddr 00:1E:4F:AB:7B:1A inet addr:10.14.16.14 Bcast:10.14.16.255 Mask:255.255.255.0 inet6 addr: fe80::21e:4fff:feab:7b1a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:16125115 errors:0 dropped:9788 overruns:0 frame:0 TX packets:11664389 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:18350671303 (17.0 GiB) TX bytes:3223102316 (3.0 GiB) Interrupt:16 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:124035 errors:0 dropped:0 overruns:0 frame:0 TX packets:124035 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:53816054 (51.3 MiB) TX bytes:53816054 (51.3 MiB) # /usr/sbin/setup-ds-admin.pl # rpm -qa | egrep -i pki-\|osutil | sort | cat -n 1 dogtag-pki-ca-theme-9.0.12-1.fc16.noarch 2 dogtag-pki-common-theme-9.0.12-1.fc16.noarch 3 dogtag-pki-console-theme-9.0.12-1.fc16.noarch 4 dogtag-pki-kra-theme-9.0.12-1.fc16.noarch 5 dogtag-pki-ocsp-theme-9.0.12-1.fc16.noarch 6 dogtag-pki-ra-theme-9.0.12-1.fc16.noarch 7 dogtag-pki-tks-theme-9.0.12-1.fc16.noarch 8 dogtag-pki-tps-theme-9.0.12-1.fc16.noarch 9 osutil-2.0.2-1.fc16.x86_64 10 pki-ca-9.0.23-1.fc16.noarch 11 pki-common-9.0.23-1.fc16.noarch 12 pki-common-javadoc-9.0.23-1.fc16.noarch 13 pki-java-tools-9.0.23-1.fc16.noarch 14 pki-java-tools-javadoc-9.0.23-1.fc16.noarch 15 pki-native-tools-9.0.23-1.fc16.x86_64 16 pki-selinux-9.0.23-1.fc16.noarch 17 pki-setup-9.0.23-1.fc16.noarch 18 pki-silent-9.0.23-1.fc16.noarch 19 pki-symkey-9.0.23-1.fc16.x86_64 20 pki-util-9.0.23-1.fc16.noarch 21 pki-util-javadoc-9.0.23-1.fc16.noarch # pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca \ -subsystem_type=ca \ -agent_secure_port=9443 \ -ee_secure_port=9444 \ -ee_secure_client_auth_port=9446 \ -admin_secure_port=9445 \ -unsecure_port=9180 \ -tomcat_server_port=9701 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-ca \ -redirect logs=/var/log/pki-ca \ -verbose # pkisilent ConfigureCA \ -cs_hostname "server.example.com" \ -cs_port 9445 \ -client_certdb_dir /tmp \ -client_certdb_pwd XXXXXXXX \ -preop_pin HgI7JGfR4KGWIi1qFshi \ -domain_name "Security Domain" \ -admin_user admin \ -admin_password XXXXXXXX \ -admin_email "root@localhost" \ -agent_name "CA Administrator of Instance pki-ca\'s Security Domain ID" \ -agent_key_size 2048 \ -agent_key_type rsa \ -agent_cert_subject "cn=CA Administrator of Instance pki-ca,uid=admin,e=root@localhost,o=Security Domain" \ -ldap_host localhost \ -ldap_port 389 \ -bind_dn "cn=Directory Manager" \ -bind_password XXXXXXXX \ -base_dn "dc=server.example.com-pki-ca" \ -db_name "server.example.com-pki-ca" \ -key_size 2048 \ -key_type rsa \ -key_algorithm SHA256withRSA \ -signing_algorithm SHA256withRSA \ -signing_signingalgorithm SHA256withRSA \ -ocsp_signing_signingalgorithm SHA256withRSA \ -save_p12 true \ -backup_pwd XXXXXXXX \ -subsystem_name "Certificate Authority" \ -token_name internal \ -token_pwd XXXXXXXX \ -ca_sign_cert_subject_name "cn=Certificate Authority,o=Security Domain" \ -ca_subsystem_cert_subject_name "cn=CA Subsystem Certificate,o=Security Domain" \ -ca_ocsp_cert_subject_name "cn=OCSP Signing Certificate,o=Security Domain" \ -ca_server_cert_subject_name "cn=server.example.com,o=Security Domain" \ -ca_audit_signing_cert_subject_name "cn=CA Audit Signing Certificate,o=Security Domain" \ -external false \ -clone false # /bin/systemctl restart pki-cad # cd /tmp # pk12util -o admin.p12 -n "CA Administrator of Instance pki-ca\'s Security Domain ID" -d . # chmod 755 admin.p12 Create a new firefox profile for 'user' and import the Admin Certificate: % cd ~/user/.mozilla/firefox/g8zpfo7q.f16 % cp /tmp/admin.p12 . % pk12util -i admin.p12 -d . Open the browser and select the new profile: * https://server.example.com:9445/ca/services * Select "SSL End Users Services" and trust the connection * https://server.example.com:9444/ca/ee/ca/ * Select Retrieval Tab * Select "Import CA Certificate Chain" * Select "Import the CA certificate chain into your browser" radio button and press "Submit" * Check all three trust checkboxes and press "OK" * https://server.example.com:9443/ca/agent/ca/ * Accept the "CA Administrator of Instance pki-ca\'s Security Domain ID [06]" and press "OK" Successfully enrolled and approved a certificate request.