Este contenido no está disponible en el idioma seleccionado.
Chapter 9. Troubleshooting IdM server installation
The following sections describe how to gather information about a failing IdM server installation, and how to resolve common installation issues.
9.1. Reviewing IdM server installation error logs
When you install an Identity Management (IdM) server, debugging information is appended to the following log files:
-
/var/log/ipaserver-install.log
-
/var/log/httpd/error_log
-
/var/log/dirsrv/slapd-INSTANCE-NAME/access
-
/var/log/dirsrv/slapd-INSTANCE-NAME/errors
The last lines of the log files report success or failure, and the ERROR
and DEBUG
entries provide additional context.
To troubleshoot a failing IdM server installation, review the errors at the end of the log files and use this information to resolve any corresponding issues.
Prerequisites
-
You must have
root
privileges to display the contents of IdM log files.
Procedure
Use the
tail
command to display the last lines of a log file. The following example displays the last 10 lines of/var/log/ipaserver-install.log
.[user@server ~]$ sudo tail -n 10 /var/log/ipaserver-install.log [sudo] password for user: value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/init.py", line 564, in main master_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 291, in decorated raise ScriptError() 2020-05-27T22:59:41Z DEBUG The ipa-server-install command failed, exception: ScriptError: 2020-05-27T22:59:41Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
To review a log file interactively, open the end of the log file using the
less
utility and use the ↑ and ↓ arrow keys to navigate. The following example opens the/var/log/ipaserver-install.log
file interactively.[user@server ~]$ sudo less -N +G /var/log/ipaserver-install.log
Gather additional troubleshooting information by repeating this review process with the remaining log files.
[user@server ~]$ sudo less -N +G /var/log/httpd/error_log [user@server ~]$ sudo less -N +G /var/log/dirsrv/slapd-INSTANCE-NAME/access [user@server ~]$ sudo less -N +G /var/log/dirsrv/slapd-INSTANCE-NAME/errors
Additional resources
-
If you are unable to resolve a failing IdM server installation, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreport
of the server. -
The
sosreport
utility collects configuration details, logs and system information from a RHEL system. For more information about thesosreport
utility, see What is an sosreport and how to create one in Red Hat Enterprise Linux?.
9.2. Reviewing IdM CA installation errors
When you install the Certificate Authority (CA) service on an Identity Management (IdM) server, debugging information is appended to the following locations (in order of recommended priority):
Location | Description |
---|---|
|
High-level issues and Python traces for the |
|
Errors from the |
| Large JAVA stacktraces of activity in the core of the Public Key Infrastructure (PKI) product |
| Audit log of the PKI product |
| Low-level debug data of certificate operations for service principals, hosts, and other entities that use certificates |
If a full IdM server installation fails while installing the optional CA component, no details about the CA are logged; a message is logged in the /var/log/ipaserver-install.log
file indicating that the overall installation process failed. Red Hat recommends reviewing the log files listed above for details specific to the CA installation failure.
The only exception to this behavior is when you are installing the CA service and the root CA is an external CA. If there is an issue with the certificate from the external CA, errors are logged in /var/log/ipaserver-install.log
.
To troubleshoot a failing IdM CA installation, review the errors at the end of these log files and use this information to resolve any corresponding issues.
Prerequisites
-
You must have
root
privileges to display the contents of IdM log files.
Procedure
To review a log file interactively, open the end of the log file using the
less
utility and use the ↑ and ↓ arrow keys to navigate, while searching forScriptError
entries. The following example opens/var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
.[user@server ~]$ sudo less -N +G /var/log/pki/pki-ca-spawn.20200527185902.log
- Gather additional troubleshooting information by repeating this review process with all the log files listed above.
Additional resources
-
If you are unable to resolve a failing IdM server installation, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreport
of the server. -
The
sosreport
utility collects configuration details, logs and system information from a RHEL system. For more information about thesosreport
utility, see What is an sosreport and how to create one in Red Hat Enterprise Linux?.
9.3. Removing a partial IdM server installation
If an IdM server installation fails, some configuration files can be left behind. Additional attempts to install the IdM server fail and the installation script reports that IPA is already configured.
Example system with existing partial IdM configuration
[root@server ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log IPA server is already configured on this system. If you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall'. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
To resolve this issue, uninstall the partial IdM server configuration and retry the installation process.
Prerequisites
-
You must have
root
privileges.
Procedure
Uninstall the IdM server software from the host you are trying to configure as an IdM server.
[root@server ~]# ipa-server-install --uninstall
If you continue to experience difficulty installing an IdM server because of repeated failed installations, reinstall the operating system.
One of the requirements for installing an IdM server is a clean system without any customization. Failed installations may have compromised the integrity of the host by unexpectedly modifying system files.
Additional resources
- For additional details on uninstalling an IdM server, see Uninstalling an IdM server.
-
If installation attempts fail after repeated uninstallation attempts, and you have a Red Hat Technical Support subscription, open a Technical Support case at the Red Hat Customer Portal and provide an
sosreport
of the server. -
The
sosreport
utility collects configuration details, logs and system information from a RHEL system. For more information about thesosreport
utility, see What is an sosreport and how to create one in Red Hat Enterprise Linux?.