973866 – ipa-server-install fails at configuring certificate server instance step 2 of 20

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 973866 - ipa-server-install fails at configuring certificate server instance step 2 of 20

Summary: ipa-server-install fails at configuring certificate server instance step 2 of 20

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-13 02:55 UTC by Henry Maine
Modified:	2013-06-24 16:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-06-19 06:49:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
console output of ipa-server-install command (3.08 KB, text/plain) 2013-06-13 02:55 UTC, Henry Maine	no flags	Details
ipaserver install log file (18.47 KB, text/x-log) 2013-06-13 02:59 UTC, Henry Maine	no flags	Details
pki-ca install log (206.23 KB, text/x-log) 2013-06-13 03:00 UTC, Henry Maine	no flags	Details
catalina.out (5.08 KB, text/plain) 2013-06-13 18:42 UTC, Henry Maine	no flags	Details
pki-ca system log (323 bytes, text/plain) 2013-06-13 18:43 UTC, Henry Maine	no flags	Details
/etc/hosts (209 bytes, text/plain) 2013-06-14 23:32 UTC, Henry Maine	no flags	Details
Output from commands showing state of firewalling. (471 bytes, text/plain) 2013-06-17 21:42 UTC, Henry Maine	no flags	Details
View All

Description Henry Maine 2013-06-13 02:55:10 UTC

Created attachment 760406 [details]
console output of ipa-server-install command

Description of problem:
Attempting to install IPA server using the following command line string:

ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password

I'm using an external DNS server and I am able to resolve station1.domain1.example.com both forward and reverse and I also have
an entry in /etc/hosts for station1.domain1.example.com

console output and install log attached.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-25.el6.x86_64
pki-silent-9.0.3-30.el6.noarch

How reproducible:

Always

Steps to Reproduce:
1. ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password

Comment 1 Henry Maine 2013-06-13 02:59:52 UTC

Created attachment 760409 [details]
ipaserver install log file

Comment 2 Henry Maine 2013-06-13 03:00:53 UTC

Created attachment 760420 [details]
pki-ca install log

Comment 4 Martin Kosek 2013-06-13 07:10:03 UTC

I did not see any obvious error in the logs you sent, we will need more information.

Are there any AVCs in /var/log/audit/audit.log?

Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these logs should help (if available):
/var/log/pki-ca/catalina.out
/var/log/pki-ca/system


Endi or Ade, would you have any idea what could be causing this?

Comment 5 Henry Maine 2013-06-13 18:42:04 UTC

(In reply to Martin Kosek from comment #4)
 
> Are there any AVCs in /var/log/audit/audit.log?

Unfortunately SELinux is in permissive mode.
 
> Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these
> logs should help (if available):
> /var/log/pki-ca/catalina.out
> /var/log/pki-ca/system

Attaching these.  Not familiar with this service but it's obvious
it's unhappy about something.

> 
> 
> Endi or Ade, would you have any idea what could be causing this?

Comment 6 Henry Maine 2013-06-13 18:42:49 UTC

Created attachment 760891 [details]
catalina.out

Comment 7 Henry Maine 2013-06-13 18:43:38 UTC

Created attachment 760892 [details]
pki-ca system log

Comment 8 Martin Kosek 2013-06-14 07:26:16 UTC

Ok, thanks for info. I did not see anything that would help me resolve the issue though.

I have one more idea (before I hand this issue over to PKI specialists) - can you please also paste contents of your /etc/hosts? Unexpected configuration of this file tends to break some services.

Comment 9 Henry Maine 2013-06-14 23:32:27 UTC

Created attachment 761457 [details]
/etc/hosts

Comment 10 Henry Maine 2013-06-14 23:35:07 UTC

Attached /etc/hosts from the afflicted system.

Comment 11 Martin Kosek 2013-06-17 08:34:16 UTC

Ok, /etc/hosts is fine. Looking at all logs again and seeing errors like "Exception: Unable to Send Request:java.net.ConnectException: Connection refused" could the reason be wrongly set local firewall which would reject communication on loopback?

I already saw install errors caused by iptables preventing some ports on loopback interface.

Thank you for your patience and cooperation.

Comment 12 Henry Maine 2013-06-17 21:41:50 UTC

Unfortunately, iptables is off.  I've attached the output from 'chkconfig' and 'service' for confirmation.

Comment 13 Henry Maine 2013-06-17 21:42:41 UTC

Created attachment 762220 [details]
Output from commands showing state of firewalling.

Comment 14 Martin Kosek 2013-06-18 10:33:05 UTC

Ok, thanks. It was worth a shot. We need more expertise help from PKI. Ade, can you please provide help with investigating this issue?

Comment 15 Henry Maine 2013-06-18 21:43:46 UTC

I think you can close this out.  I rebuilt both the physical host and the VM in question and things are working fine now.  I suspect that I may have gotten some packages from 'RHEL Supplemental' intermixed with the base RHEL 6.4 packages on the earlier build I was using which may have caused the problem.

Comment 16 Martin Kosek 2013-06-19 06:49:30 UTC

Ok, that may have been the root cause as I would be surprised if IPA server would fail just as simply as this as QE test all sorts of installation pretty extensively.

Closing the bug, I am glad IPA is working now for you.

Comment 17 Sankar Ramalingam 2013-06-24 16:28:39 UTC

Removing the qa_ack flags since wrongly marked. Apologize.

Note You need to log in before you can comment on or make changes to this bug.