Jacob Chapman via FreeIPA-users wrote: > I am installing on Docker for MacOS. During initial install, it reaches step > [1/30]: configuring certificate server instance when it shows the error. > > I looked in the /data/var/log/ipaserver-install.log and it looks like > everything is OK until it hits the errors below. Any ideas what could cause > this? > > FINE: NSSDatabase: Issuing cert for CN=freeipa.mydomain.cloud,O=2023-06-25 > 23:40:10 > FINE: NSSDatabase: - issuer: CN=freeipa.mydomain.cloud,O=2023-06-25 23:40:10 > FINE: NSSDatabase: - public key algorithm: RSA > FINE: NSSDatabase: - serial number: 0x79a6edffa89c946d7cb055c19b4befa4 > FINE: NSSDatabase: - not before: Sun Jun 25 23:42:17 UTC 2023 > FINE: NSSDatabase: - not after: Mon Sep 25 23:42:17 UTC 2023 > FINE: NSSDatabase: - hash algorithm: SHA256 > FINE: NSSDatabase: - key algorithm: SHA256withRSA > FINE: NSSDatabase: Finding request private key > FINE: NSSDatabase: - private key: 0xdbb9f417bd81a12aa00c1b20227c91a6b2ccefd6 > FINE: NSSDatabase: Private key algorithm: RSA > FINE: NSSDatabase: Signing algorithm: SHA256withRSA > FINE: CryptoUtil: Signing certificate > FINE: CryptoUtil: - signing algorithm: RSASignatureWithSHA256Digest > FINE: CryptoUtil: - algorithm name: SHA256withRSA > FINE: CryptoUtil: - algorithm ID: SHA256withRSA > DEBUG: NSSDatabase.add_cert(temp Server-Cert cert-pki-ca) > DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C > /tmp/tmp5y2f9zop/XXXXXXXX.txt nss-cert-import --cert > /tmp/tmp_tmyllsd/sslserver.crt --debug temp Server-Cert cert-pki-ca > INFO: Initializing NSS > INFO: Logging into internal token > INFO: Using internal token > java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt > at > java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) > at > java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) > at > java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) > at > java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) > at java.base/java.nio.file.Files.newByteChannel(Files.java:380) > at java.base/java.nio.file.Files.createFile(Files.java:658) > at > java.base/java.nio.file.TempFileHelper.create(TempFileHelper.java:136) > at > java.base/java.nio.file.TempFileHelper.createTempFile(TempFileHelper.java:159) > at java.base/java.nio.file.Files.createTempFile(Files.java:923) > at org.dogtagpki.nss.NSSDatabase.addCertificate(NSSDatabase.java:342) > at > com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:104) > at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > at org.dogtagpki.cli.CLI.execute(CLI.java:353) > at org.dogtagpki.cli.CLI.execute(CLI.java:353) > at org.dogtagpki.cli.CLI.execute(CLI.java:353) > at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:658) > at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:697)
I know next to nothing about containers but it can't write to /tmp. Whether this is mounted into the container or something else I don't know. But I do know that the instructions on running the container need to be followed pretty explicitly. A lot of the options are configured a specific way to work around known issues so don't get too creative with them or you'll have problems. I'd suggest you look at the open and closed issues at https://github.com/freeipa/freeipa-container https://github.com/freeipa/freeipa-container for past guidance. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
