Red Hat Bugzilla – Bug 973866
ipa-server-install fails at configuring certificate server instance step 2 of 20
Last modified: 2013-06-24 12:28:39 EDT
Created attachment 760406 [details]
console output of ipa-server-install command
Description of problem:
Attempting to install IPA server using the following command line string:
ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password
I'm using an external DNS server and I am able to resolve station1.domain1.example.com both forward and reverse and I also have
an entry in /etc/hosts for station1.domain1.example.com
console output and install log attached.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ipa-server-install --hostname=station1.domain1.example.com -n domain1.example.com -r DOMAIN1.EXAMPLE.COM -p password -a password
Created attachment 760409 [details]
ipaserver install log file
Created attachment 760420 [details]
pki-ca install log
I did not see any obvious error in the logs you sent, we will need more information.
Are there any AVCs in /var/log/audit/audit.log?
Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these logs should help (if available):
Endi or Ade, would you have any idea what could be causing this?
(In reply to Martin Kosek from comment #4)
> Are there any AVCs in /var/log/audit/audit.log?
Unfortunately SELinux is in permissive mode.
> Can you also provide pki-ca logs stored in /var/log/pki-ca/? Namely these
> logs should help (if available):
Attaching these. Not familiar with this service but it's obvious
it's unhappy about something.
> Endi or Ade, would you have any idea what could be causing this?
Created attachment 760891 [details]
Created attachment 760892 [details]
pki-ca system log
Ok, thanks for info. I did not see anything that would help me resolve the issue though.
I have one more idea (before I hand this issue over to PKI specialists) - can you please also paste contents of your /etc/hosts? Unexpected configuration of this file tends to break some services.
Created attachment 761457 [details]
Attached /etc/hosts from the afflicted system.
Ok, /etc/hosts is fine. Looking at all logs again and seeing errors like "Exception: Unable to Send Request:java.net.ConnectException: Connection refused" could the reason be wrongly set local firewall which would reject communication on loopback?
I already saw install errors caused by iptables preventing some ports on loopback interface.
Thank you for your patience and cooperation.
Unfortunately, iptables is off. I've attached the output from 'chkconfig' and 'service' for confirmation.
Created attachment 762220 [details]
Output from commands showing state of firewalling.
Ok, thanks. It was worth a shot. We need more expertise help from PKI. Ade, can you please provide help with investigating this issue?
I think you can close this out. I rebuilt both the physical host and the VM in question and things are working fine now. I suspect that I may have gotten some packages from 'RHEL Supplemental' intermixed with the base RHEL 6.4 packages on the earlier build I was using which may have caused the problem.
Ok, that may have been the root cause as I would be surprised if IPA server would fail just as simply as this as QE test all sorts of installation pretty extensively.
Closing the bug, I am glad IPA is working now for you.
Removing the qa_ack flags since wrongly marked. Apologize.