IPA-Server install error. Configuring CA Failed.
Hi
I have tried installing IPA-Server in Red Hat system, and strange it gave me some " Configuration of CA Failed " error. Co-incidentally the same error occurs in Cent OS systems as well. However i was installing IPA-Server in Cent OS based machines few months back, but this time it doesn't work.
I have seen many reports of users facing similar issue, but without any active solution.
Please find the attached ipaserver-install.log
PS : I have tried it in Brand New Installed System's multiple times. Same error.
Attachments
Responses
Guru
6827 points
Hi Zeal Vora,
See if one of these bugzillas apply, one is the upstream, the other is the Red Hat bugzilla:
upstream IPA bugzilla 4415 https://fedorahosted.org/freeipa/ticket/4415
- As I type this, this bugzilla has a status of "assigned" redhat bugzilla 1114127 https://bugzilla.redhat.com/show_bug.cgi?id=1114127, and see the comment by Scott Poore 2014-06-27 16:19:11 EDT (and he says his work-around may or may not be useful).
Red Hat
Community Member
22 points
Hello,
I do not think this is the root cause, the hostname used in the original log was not that long (it may have been anonymized, I know). But even the errors did not match:
2014-06-27T19:44:00Z DEBUG stderr=Exception: Unable to Send Request:java.io.IOException: java.io.IOException: SSL_ForceHandshake failed:
vs,
2014-12-26T18:18:16Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused
In this case, I rather suspect that some port was blocked before IPA server installation. I would especially check for port 8443 to be open. Other ports that PKI uses: in RHEL-6:
# netstat -putna | grep java
tcp 0 0 :::9180 :::* LISTEN 27771/java
tcp 0 0 :::9443 :::* LISTEN 27771/java
tcp 0 0 :::9444 :::* LISTEN 27771/java
tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 27771/java
tcp 0 0 :::9445 :::* LISTEN 27771/java
tcp 0 0 :::9446 :::* LISTEN 27771/java
tcp 0 0 :::9447 :::* LISTEN 27771/java
Here's one immediate possibility Zeal,
Download a RHEL 6.5 server iso and follow the instructions for creating an IPA server, and use (only) a local yum repo you have created from the RHEL 6.5 disk (or if you have a Red Hat Satellite server, a cloned channel that is earlier than the affected date for the ipa binaries with a bug).
(Note, using an external CA may cause bonus configuration fun, just to let you know). I created a test IPA server in this fashion for a test-victim server that I then later deleted for a test. But know that if you take this path, you inherit all security issues that are not patched from the release of RHEL 6.5 to current day, until you register and patch the system with errata, security fixes and the future bug fix they have for IPA.
I had attempted to create an IPA server under RHEL 7, but at the time I did it, the install failed and when I looked up the error messages, I had found a bugzilla against IPA on RHEL 7... but there's a chance they may have fixed it (and I have not checked). If I had a choice, I'd rather have an IPA server on RHEL 7... but I've had bigger fish to fry lately.
Red Hat
Community Member
22 points
I would advise to check this KB: https://access.redhat.com/solutions/1275383
There is a known issue with Java 1.8.0 (ZStream fix for PKI should be on the way).
Thanks, Martin. This ended up fixing the issue for me.
Reverting to Java 1.7.0 enables the installation to complete successfully.
Guru
6827 points
Martin, https://access.redhat.com/solutions/1275383 has expired, and is no longer available. any idea if that solution ID can be made available?
Thanks
Red Hat
Guru
3240 points
Hi,
That solution has been deprecated in favor of https://access.redhat.com/solutions/1468433.
(tl;dr -- the problem has been fixed, and an up-to-date ipa-server-install should work as expected without needing to install Java 1.7.0.)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.