Short tip: FreeIPA - CA did not start in 300.0s

During a recent installation of Red Hat Identity Management or FreeIPA I stumbled upon the following error message:

1DEBUG The ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s
2ERROR CA did not start in 300.0s
3ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

CentOS was installed in version 7.6 (so slighty outdated) and FreeIPA was used in version 4.6.5-11:

1$ rpm -qa ipa-server nss
5$ cat /etc/redhat-release
6CentOS Linux release 7.6.1810 (Core)

During analysis the used NSS libraries (Name Service Switch) looked conspicuous to me. I found some bug reports in the internet but unfortunately they were not public.

1# yum check-update|grep nss-
2nss-pem.x86_64                          1.0.3-7.el7                      base
3nss-softokn.x86_64                      3.44.0-8.el7_7                   updates
4nss-softokn-freebl.x86_64               3.44.0-8.el7_7                   updates
5nss-sysinit.x86_64                      3.44.0-7.el7_7                   updates
6nss-tools.x86_64                        3.44.0-7.el7_7                   updates
7nss-util.x86_64                         3.44.0-4.el7_7                   updates

To fix the issue I had to update the NSS libraries. The ones used in version 7.6 are buggy.

1# yum update nss*

Afterwards, the installation succeeded without any issues.