Discussion:
[Freeipa-users] replica install seems to hang forever when "--setup-ca" is enabled - any advice?
Chris Dagdigian
2017-03-15 22:32:42 UTC
Permalink
Any tips for diving into this a bit more to troubleshoot?

For the 1st time I'm setting up an ipa-server 4.4 replica with CA
features enabled but the replica install seems to hang forever here:

...
...
...
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: set up CRL publishing
[7/27]: enable PKIX certificate path discovery and validation
[8/27]: starting certificate server instance

< no output after this >


The replica-install.log file ends here:

...
...
...
2017-03-15T22:16:05Z DEBUG Starting external process
2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active
pki-***@pki-tomcat.service
2017-03-15T22:16:05Z DEBUG Process finished, return code=0
2017-03-15T22:16:05Z DEBUG stdout=active

2017-03-15T22:16:05Z DEBUG stderr=
2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
2017-03-15T22:16:06Z DEBUG request POST
http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus
2017-03-15T22:16:06Z DEBUG request body ''




I've confirmed that SELINUX is disabled, there is no firewall and the
AWS Security Groups are allowing TCP:8080 and TCP:8443 to the replica
instance. The systemctl command also verifies that
pki-***@pki-tomcat.service is "active" as well.


Any tips for debugging further?


Regards,
Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Fraser Tweedale
2017-03-16 00:34:22 UTC
Permalink
Post by Chris Dagdigian
Any tips for diving into this a bit more to troubleshoot?
For the 1st time I'm setting up an ipa-server 4.4 replica with CA features
...
...
...
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: set up CRL publishing
[7/27]: enable PKIX certificate path discovery and validation
[8/27]: starting certificate server instance
< no output after this >
...
...
...
2017-03-15T22:16:05Z DEBUG Starting external process
2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active
2017-03-15T22:16:05Z DEBUG Process finished, return code=0
2017-03-15T22:16:05Z DEBUG stdout=active
2017-03-15T22:16:05Z DEBUG stderr=
2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
2017-03-15T22:16:06Z DEBUG request POST
http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus
2017-03-15T22:16:06Z DEBUG request body ''
I've confirmed that SELINUX is disabled, there is no firewall and the AWS
Security Groups are allowing TCP:8080 and TCP:8443 to the replica instance.
The systemctl command also verifies that
Any tips for debugging further?
Could you please provide the /var/log/pki/pki-tomcat/ca/debug log
file?

Thanks,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Martin Basti
2017-03-16 08:29:12 UTC
Permalink
Post by Fraser Tweedale
Post by Chris Dagdigian
Any tips for diving into this a bit more to troubleshoot?
For the 1st time I'm setting up an ipa-server 4.4 replica with CA features
...
...
...
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: set up CRL publishing
[7/27]: enable PKIX certificate path discovery and validation
[8/27]: starting certificate server instance
< no output after this >
...
...
...
2017-03-15T22:16:05Z DEBUG Starting external process
2017-03-15T22:16:05Z DEBUG args=/bin/systemctl is-active
2017-03-15T22:16:05Z DEBUG Process finished, return code=0
2017-03-15T22:16:05Z DEBUG stdout=active
2017-03-15T22:16:05Z DEBUG stderr=
2017-03-15T22:16:05Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
2017-03-15T22:16:06Z DEBUG Waiting until the CA is running
2017-03-15T22:16:06Z DEBUG request POST
http://deawilidmp001.XXX.org:8080/ca/admin/ca/getStatus
2017-03-15T22:16:06Z DEBUG request body ''
I've confirmed that SELINUX is disabled, there is no firewall and the AWS
Security Groups are allowing TCP:8080 and TCP:8443 to the replica instance.
The systemctl command also verifies that
Any tips for debugging further?
Could you please provide the /var/log/pki/pki-tomcat/ca/debug log
file?
Thanks,
Fraser
Could it be this?
https://pagure.io/freeipa/issue/6766
Chris Dagdigian
2017-03-16 11:29:00 UTC
Permalink
That looks exactly like my issue, thanks! Will monitor that ticket. Much
appreciated.
Post by Martin Basti
Could it be this?
https://pagure.io/freeipa/issue/6766
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...