The IPA startup script is supposed to keep checking Dogtag's status for 2 minutes until it's up and running (see ipapython/platform/fedora16.py lines 160-166):
while time.time() < op_timeout status = dogtag.ca_status() if status == 'running': break time.sleep(1)
However, this code also assumes that ca_status() would return immediately and not throw an exception. The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected.
One possible solution is to catch the exception, either in the above loop or inside ca_status().
Related Dogtag issue:
attachment 0002-WIP-https-bugzilla.redhat.com-show_bug.cgi-id-912230.patch
I tried this patch and it worked for me today in my various restarts of IPA in virtual machines.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=924077
master: 41031fe[[BR]] ipa-3-1: 4f8c889
Metadata Update from @edewata: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.