Bug 973866 - ipa-server-install fails at configuring certificate server instance step 2 of 20
ipa-server-install fails at configuring certificate server instance step 2 of 20
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-12 22:55 EDT by Henry Maine
Modified: 2013-06-24 12:28 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-19 02:49:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console output of ipa-server-install command (3.08 KB, text/plain)
2013-06-12 22:55 EDT, Henry Maine
no flags Details
ipaserver install log file (18.47 KB, text/x-log)
2013-06-12 22:59 EDT, Henry Maine
no flags Details
pki-ca install log (206.23 KB, text/x-log)
2013-06-12 23:00 EDT, Henry Maine
no flags Details
catalina.out (5.08 KB, text/plain)
2013-06-13 14:42 EDT, Henry Maine
no flags Details
pki-ca system log (323 bytes, text/plain)
2013-06-13 14:43 EDT, Henry Maine
no flags Details
/etc/hosts (209 bytes, text/plain)
2013-06-14 19:32 EDT, Henry Maine
no flags Details
Output from commands showing state of firewalling. (471 bytes, text/plain)
2013-06-17 17:42 EDT, Henry Maine
no flags Details

  None (edit)
Description Henry Maine 2013-06-12 22:55:10 EDT
Created attachment 760406 [details]
console output of ipa-server-install command

Description of problem:
Attempting to install IPA server using the following command line string:

ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password

I'm using an external DNS server and I am able to resolve station1.domain1.example.com both forward and reverse and I also have
an entry in /etc/hosts for station1.domain1.example.com

console output and install log attached.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-25.el6.x86_64
pki-silent-9.0.3-30.el6.noarch

How reproducible:

Always

Steps to Reproduce:
1. ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password
Comment 1 Henry Maine 2013-06-12 22:59:52 EDT
Created attachment 760409 [details]
ipaserver install log file
Comment 2 Henry Maine 2013-06-12 23:00:53 EDT
Created attachment 760420 [details]
pki-ca install log
Comment 4 Martin Kosek 2013-06-13 03:10:03 EDT
I did not see any obvious error in the logs you sent, we will need more information.

Are there any AVCs in /var/log/audit/audit.log?

Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these logs should help (if available):
/var/log/pki-ca/catalina.out
/var/log/pki-ca/system


Endi or Ade, would you have any idea what could be causing this?
Comment 5 Henry Maine 2013-06-13 14:42:04 EDT
(In reply to Martin Kosek from comment #4)
 
> Are there any AVCs in /var/log/audit/audit.log?

Unfortunately SELinux is in permissive mode.
 
> Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these
> logs should help (if available):
> /var/log/pki-ca/catalina.out
> /var/log/pki-ca/system

Attaching these.  Not familiar with this service but it's obvious
it's unhappy about something.

> 
> 
> Endi or Ade, would you have any idea what could be causing this?
Comment 6 Henry Maine 2013-06-13 14:42:49 EDT
Created attachment 760891 [details]
catalina.out
Comment 7 Henry Maine 2013-06-13 14:43:38 EDT
Created attachment 760892 [details]
pki-ca system log
Comment 8 Martin Kosek 2013-06-14 03:26:16 EDT
Ok, thanks for info. I did not see anything that would help me resolve the issue though.

I have one more idea (before I hand this issue over to PKI specialists) - can you please also paste contents of your /etc/hosts? Unexpected configuration of this file tends to break some services.
Comment 9 Henry Maine 2013-06-14 19:32:27 EDT
Created attachment 761457 [details]
/etc/hosts
Comment 10 Henry Maine 2013-06-14 19:35:07 EDT
Attached /etc/hosts from the afflicted system.
Comment 11 Martin Kosek 2013-06-17 04:34:16 EDT
Ok, /etc/hosts is fine. Looking at all logs again and seeing errors like "Exception: Unable to Send Request:java.net.ConnectException: Connection refused" could the reason be wrongly set local firewall which would reject communication on loopback?

I already saw install errors caused by iptables preventing some ports on loopback interface.

Thank you for your patience and cooperation.
Comment 12 Henry Maine 2013-06-17 17:41:50 EDT
Unfortunately, iptables is off.  I've attached the output from 'chkconfig' and 'service' for confirmation.
Comment 13 Henry Maine 2013-06-17 17:42:41 EDT
Created attachment 762220 [details]
Output from commands showing state of firewalling.
Comment 14 Martin Kosek 2013-06-18 06:33:05 EDT
Ok, thanks. It was worth a shot. We need more expertise help from PKI. Ade, can you please provide help with investigating this issue?
Comment 15 Henry Maine 2013-06-18 17:43:46 EDT
I think you can close this out.  I rebuilt both the physical host and the VM in question and things are working fine now.  I suspect that I may have gotten some packages from 'RHEL Supplemental' intermixed with the base RHEL 6.4 packages on the earlier build I was using which may have caused the problem.
Comment 16 Martin Kosek 2013-06-19 02:49:30 EDT
Ok, that may have been the root cause as I would be surprised if IPA server would fail just as simply as this as QE test all sorts of installation pretty extensively.

Closing the bug, I am glad IPA is working now for you.
Comment 17 Sankar Ramalingam 2013-06-24 12:28:39 EDT
Removing the qa_ack flags since wrongly marked. Apologize.

Note You need to log in before you can comment on or make changes to this bug.