Created attachment 737273 [details] ipaserver-install.log Description of problem: ipa-server-install fails with external ca Version-Release number of selected component (if applicable): freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 pki-ca-10.0.1-2.1.fc19.noarch How reproducible: Steps to Reproduce: 1. ipa-server-install --setup-dns --external-ca 2.ipa-server-install --external_cert_file=/root/sign-ipa.crt --external_ca_file=/root/ad-ca.crt Actual results: Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmphU1n_0' returned non-zero exit status 255 Expected results: ipa-server-installation should succeed Additional info:
I have same problem, same components versions. I install with command: ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname server.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmpm6gYDB' returned non-zero exit status 255
This issue is caused by Bug 872761.
This is not dogtag issue, moving to freeipa for tracking purposes.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3586
Note that setting up an external CA is not necessary to duplicate this bug. Installing IPA with a CA is enough.
Fixed in upstream NSS in: nss-3.14.3-2.fc18 nss-3.14.3-12.0.fc19 We just need to set our deps right. master: 732d1042a35c7db64c4ce1980e938666c65671ea
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
no longer seeing CA related issues with installs: Made it all the way through with no errors: Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.