Installation Issues#
Check PKI Server Logs#
To troubleshoot installation issues, the debug log level can be increased before running pkispawn. See PKI Server Log.
Common Issues#
Misleading error message during installation#
See Ticket #1615. The PKI server generates the following message when it is started for the first time during installation before being configured by pkispawn:
Sep 23 14:14:16 server.example.com server[13604]: CMS Warning: FAILURE: Cannot
build CA chain. Error java.security.cert.CertificateException: Certificate is
not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization
failed and skipped, error=Property internaldb.ldapconn.port missing value|
This is actually a normal part of the installation and can be ignored safely.
Failed token authentication#
Installing an additional server may fail if the Directory Manager password, the PKCS #12 password, or the admin user was changed incorrectly. See the detailed steps at IPA Howto: Changing Directory Manager Password.
Cloning Issues#
Check PKI server logs on master and replica
Check certificate expirations
Check Directory Manager password, admin password, and PKCS #12 password
CLI Issues#
Run in Verbose Mode#
Run the CLI in verbose mode to see more details:
$ pki -v <command>
Check HTTP Messages#
Save the HTTP requests and responses exchanged by the CLI:
$ mkdir -p tmp
$ pki --output tmp <command>
Check PKI Server Logs#
CLI failure may be caused by a server issue. See PKI Server Log.
Server Issues#
Upgrade Issues#
IPA Issues#
Check IPA server install logs
Check HTTP proxy configuration
See also IPA - Troubleshooting.