Short tip: FreeIPA - CA did not start in 300.0s
During a recent installation of Red Hat Identity Management or FreeIPA I stumbled upon the following error message:
1DEBUG The ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s
2ERROR CA did not start in 300.0s
3ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
CentOS was installed in version 7.6 (so slighty outdated) and FreeIPA was used in version 4.6.5-11:
1$ rpm -qa ipa-server nss
2nss-3.36.0-7.1.el7_6.x86_64
3ipa-server-4.6.5-11.el7.centos.4.x86_64
4
5$ cat /etc/redhat-release
6CentOS Linux release 7.6.1810 (Core)
During analysis the used NSS libraries (Name Service Switch) looked conspicuous to me. I found some bug reports in the internet but unfortunately they were not public.
1# yum check-update|grep nss-
2nss-pem.x86_64 1.0.3-7.el7 base
3nss-softokn.x86_64 3.44.0-8.el7_7 updates
4nss-softokn-freebl.x86_64 3.44.0-8.el7_7 updates
5nss-sysinit.x86_64 3.44.0-7.el7_7 updates
6nss-tools.x86_64 3.44.0-7.el7_7 updates
7nss-util.x86_64 3.44.0-4.el7_7 updates
To fix the issue I had to update the NSS libraries. The ones used in version 7.6 are buggy.
1# yum update nss*
Afterwards, the installation succeeded without any issues.