This is the install output when it fails:
Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance [5/16]: restarting certificate server [6/16]: creating CA agent PKCS#12 file in /root [7/16]: creating RA agent certificate database [8/16]: importing CA chain to RA certificate database Unexpected error - see ipaserver-install.log for details: must be string or buffer, not None
Attached find logfiles
install log ipaserver-install.log
dirsrv PKI-IPA instance access file access
pki-ca debug file (compressed) pki-ca-debug.tar.gz
Filed defect https://bugzilla.redhat.com/show_bug.cgi?id=643449
The problem seems rooted in not being able to retrieve the CA certificate chain on the unsecure port 9180.
The issue is casued by a java class org.apache.xml.serializer.TreeWalker (package org.apache.xml.serializer) which is not in the java CLASSPATH when starting pki-ca. As a result of this issue, the pki-ca can't display the CA certificate and gives a 500 internal server error instead.
The issue can be easily solved by:
ln -s %{_javadir}/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
The change is best to be done in pki-common package. I already contacted pki-common maintainer to see if they can do this or if we have to find some kind of workaround.
New release of pki-ca addressing the issue is already in ipa nightly repository and will be released soon in Fedora. Closing the ticket.
Metadata Update from @simo: - Issue assigned to jzeleny - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.