Installing new freeipa server (master) on a brand new CentOS8 install fails.
# cat /etc/os-release NAME="CentOS Linux" VERSION="8 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Linux 8 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-8" CENTOS_MANTISBT_PROJECT_VERSION="8" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="8"
# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.8.4 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [id01.domain.io]: Warning: skipping DNS resolution of host id01.domain.io The domain name has been determined based on the host name. Please confirm the domain name [domain.io]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [DOMAIN.IO]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain domain.io., please wait ... DNS zone domain.io. already exists in DNS and is handled by server(s): main.domain.io. Please make sure that the domain is properly delegated to this IPA server. No network interface matches the IP address 195.101.11x.xx WARNING: No network interface matches the IP address 195.101.11x.xx Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: Reverse record for IP address 195.101.11x.xx already exists Do you want to configure chrony with NTP server or pool address? [no]: yes Enter NTP source server addresses separated by comma, or press Enter to skip: Enter a NTP source pool address, or press Enter to skip: 0.europe.pool.ntp.org,1.europe.pool.ntp.org The IPA Master Server will be configured with: Hostname: id01.domain.io IP address(es): 195.101.11x.xx Domain name: domain.io Realm name: DOMAIN.IO The CA will be configured with: Subject DN: CN=Certificate Authority,O=DOMAIN.IO Subject base: O=DOMAIN.IO Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: first Reverse zone(s): No reverse zone NTP pool: 0.europe.pool.ntp.org,1.europe.pool.ntp.org Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time Augeas failed to configure file /etc/chrony.conf Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: configure autobind for root [3/44]: stopping directory server [4/44]: updating configuration in dse.ldif [5/44]: starting directory server [6/44]: adding default schema [7/44]: enabling memberof plugin [8/44]: enabling winsync plugin [9/44]: configure password logging [10/44]: configuring replication version plugin [11/44]: enabling IPA enrollment plugin [12/44]: configuring uniqueness plugin [13/44]: configuring uuid plugin [14/44]: configuring modrdn plugin [15/44]: configuring DNS plugin [16/44]: enabling entryUSN plugin [17/44]: configuring lockout plugin [18/44]: configuring topology plugin [19/44]: creating indices [20/44]: enabling referential integrity plugin [21/44]: configuring certmap.conf [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache and keytab [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: adding sasl mappings to the directory [27/44]: adding default layout [28/44]: adding delegation layout [29/44]: creating container for managed entries [30/44]: configuring user private groups [31/44]: configuring netgroups from hostgroups [32/44]: creating default Sudo bind user [33/44]: creating default Auto Member layout [34/44]: adding range check plugin [35/44]: creating default HBAC rule allow_all [36/44]: adding entries for topology management [37/44]: initializing group membership [38/44]: adding master entry [39/44]: initializing domain level [40/44]: configuring Posix uid/gid generation [41/44]: adding replication acis [42/44]: activating sidgen plugin [43/44]: activating extdom plugin [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwiwxs5ey'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup\n (subsystem.type, timeout)) from exc\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
install to finish successfully
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
Clean install. I repeated the process three times
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
Logs at /var/log/pki/ are empty don't have any errors. /var/log/ipaserver-install.log
/var/log/pki/
/var/log/ipaserver-install.log
2020-07-17T11:08:06Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 188, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwiwxs5ey'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup\n (subsystem.type, timeout)) from exc\n\n') During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 190, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 423, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2020-07-17T11:08:06Z DEBUG [error] RuntimeError: CA configuration failed. 2020-07-17T11:08:06Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2020-07-17T11:08:06Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 564, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 891, in install ca.install_step_0(False, None, options, custodia=custodia) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0 pki_config_override=options.pki_config_override, File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 480, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance nolog_list=nolog_list File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 190, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 423, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2020-07-17T11:08:06Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2020-07-17T11:08:06Z ERROR CA configuration failed. 2020-07-17T11:08:06Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Please upload the pki-ca-spawn log from /var/log/pki and check journalctl messages related to Java, Tomcat, and pki-tomcatd@pki-tomcat.service.
pki-ca-spawn
/var/log/pki
journalctl
pki-tomcatd@pki-tomcat.service
/var/log/pki/pki-ca-spawn.20200717120639.log
2020-07-17 12:08:06 ERROR: Exception: CA subsystem did not start after 60s File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn request_timeout=status_request_timeout, File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup (subsystem.type, timeout)) from exc
# journalctl -xeu pki-tomcatd@pki-tomcat.service
-- Logs begin at Fri 2020-07-17 11:46:05 WEST, end at Fri 2020-07-17 12:33:01 WEST. -- Jul 17 12:07:05 id01.issc.io systemd[1]: Starting PKI Tomcat Server pki-tomcat... -- Subject: Unit pki-tomcatd@pki-tomcat.service has begun start-up -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit pki-tomcatd@pki-tomcat.service has begun starting up. Jul 17 12:07:06 id01.issc.io pki-server[48378]: ---------------------------- Jul 17 12:07:06 id01.issc.io pki-server[48378]: pki-tomcat instance migrated Jul 17 12:07:06 id01.issc.io pki-server[48378]: ---------------------------- Jul 17 12:07:06 id01.issc.io systemd[1]: Started PKI Tomcat Server pki-tomcat. -- Subject: Unit pki-tomcatd@pki-tomcat.service has finished start-up -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit pki-tomcatd@pki-tomcat.service has finished starting up. -- -- The start-up result is done. Jul 17 12:07:06 id01.issc.io server[48492]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jul 17 12:07:06 id01.issc.io server[48492]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Jul 17 12:07:06 id01.issc.io server[48492]: main class used: org.apache.catalina.startup.Bootstrap Jul 17 12:07:06 id01.issc.io server[48492]: flags used: Jul 17 12:07:06 id01.issc.io server[48492]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomca> Jul 17 12:07:06 id01.issc.io server[48492]: arguments used: start
# pwd /var/log/pki/pki-tomcat # ls -l total 0 drwxrwx---. 4 pkiuser pkiuser 102 Jul 17 12:07 ca -rw-r--r--. 1 pkiuser pkiuser 0 Jul 17 12:06 catalina.2020-07-17.log -rw-r--r--. 1 pkiuser pkiuser 0 Jul 17 12:06 host-manager.2020-07-17.log -rw-r--r--. 1 pkiuser pkiuser 0 Jul 17 12:06 localhost.2020-07-17.log -rw-r--r--. 1 pkiuser pkiuser 0 Jul 17 12:07 localhost_access_log.2020-07-17.txt -rw-r--r--. 1 pkiuser pkiuser 0 Jul 17 12:06 manager.2020-07-17.log drwxr-xr-x. 2 pkiuser pkiuser 34 Jul 17 12:07 pki #
/var/log/pki/pki-tomcat/ca/debug.2020-07-17.log
2020-07-17 12:07:10 [main] INFO: CMSEngine: Initializing authz subsystem 2020-07-17 12:07:10 [main] INFO: AAclAuthz: group evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: ipaddress evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: user evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: user_origreq evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: initialization done 2020-07-17 12:07:10 [main] INFO: BasicAclAuthz: initialization done 2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz manager instance BasicAclAuthz added 2020-07-17 12:07:10 [main] INFO: AAclAuthz: group evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: ipaddress evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: user evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: user_origreq evaluator registered 2020-07-17 12:07:10 [main] INFO: AAclAuthz: initialization done 2020-07-17 12:07:10 [main] INFO: DirAclAuthz: found cn=aclResources,o=ipaca 2020-07-17 12:07:10 [main] INFO: DirAclAuthz: initialization done 2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added 2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz initialization done. 2020-07-17 12:07:10 [main] INFO: CMSEngine: Initializing jobsScheduler subsystem 2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring auto shutdown 2020-07-17 12:07:10 [main] WARNING: CMSEngine: Unable to support auto-shutdown: Certificate not found: auditSigningCert cert-pki-tomcat 2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring servlet certificate nickname 2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring excluded LDAP attributes 2020-07-17 12:07:10 [main] INFO: ServerXml: Parsing /var/lib/pki/pki-tomcat/conf/server.xml 2020-07-17 12:07:10 [main] INFO: ServerXml: Unsecure port: 8080 2020-07-17 12:07:10 [main] INFO: ServerXml: Secure port: 8443 2020-07-17 12:07:10 [main] INFO: RequestSubsystem: Request subsystem started 2020-07-17 12:07:10 [main] INFO: LDAPProfileSubsystem: startup 2020-07-17 12:07:10 [main] INFO: CA subsystem started
last entries on journalctl: https://pastebin.com/Sn3YPzVC
Hi,
Ok so the issue I had was related to the network config. I was using such setup where the machine had an internal IP and there was an 1:1 NAT from the public address assigned.
The solution was to add the ip and subnet mask to the interface, so it had both configured: the internal ip and the external ip.
Afterwards I installed with no problems.
Thank you!
Metadata Update from @maverickws: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.