← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00614

[Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

  Thread PreviousDate PreviousThread Next 
curl/ssl not working is probably because the setup didn't get far
enough, check /var/log/pki/pki-tomcat/* for errors

Are you able to reproduce the setup error each time? The setup is racy
on slower machines where the tomcat startup takes "long", some later
steps can fail because of that but I haven't seen it this early.

The upstream issues seem fixed already, and we have those versions. The
error was different there anyway.


** Changed in: freeipa (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Incomplete

Bug description:
  DESCRIPTION

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
        [1/28]: configuring certificate server instance
      ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
      ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
      ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
        [error] RuntimeError: CA configuration failed.
      ipapython.admintool: ERROR    CA configuration failed.
      ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:

      https://pagure.io/dogtagpki/issue/2973
      https://pagure.io/freeipa/issue/7464

  SYSTEM INFORMATION:

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID:	Ubuntu
  Description:	Ubuntu Bionic Beaver (development branch)
  Release:	18.04
  Codename:	bionic

  $ sudo dpkg -l | grep freeipa
      ii  freeipa-client                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- client
      ii  freeipa-common                           4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- common files
      ii  freeipa-server                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- server
      ii  freeipa-server-dns                       4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- IPA DNS integration

  $ sudo dpkg -l | grep dogtag
      ii  dogtag-pki                               10.6.0-1ubuntu1                   all          Dogtag Public Key Infrastructure (PKI) Suite
      ii  dogtag-pki-console-theme                 10.6.0-1ubuntu1                   all          Certificate System - PKI Console User Interface
      ii  dogtag-pki-server-theme                  10.6.0-1ubuntu1                   all          Certificate System - PKI Server User Interface

  TO REPRODUCE:

  1. install freeipa-server and freeipa-server-dns
  2. the following installation options (note I have changed confidential details).

  sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p
  XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-
  algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty
  Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp

  RESULTS

  1. The above error is produced. 
  2. the pkispawn logs show it waiting for the server and timing out.

     2018-04-20 05:30:19 pkispawn    : INFO     ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
      2018-04-20 05:30:26 pkispawn    : INFO     ........... checking https://example.com:8443/ca
      2018-04-20 05:30:27 pkispawn    : INFO     ........... waiting for server to start (1s)
      2018-04-20 05:30:28 pkispawn    : INFO     ........... waiting for server to start (2s)
      2018-04-20 05:30:29 pkispawn    : INFO     ........... waiting for server to start (3s)
      2018-04-20 05:30:30 pkispawn    : INFO     ........... waiting for server to start (4s)
      2018-04-20 05:30:31 pkispawn    : INFO     ........... waiting for server to start (5s)

  ...

      2018-04-20 05:31:22 pkispawn    : INFO     ........... waiting for server to start (56s)
      2018-04-20 05:31:23 pkispawn    : INFO     ........... waiting for server to start (57s)
      2018-04-20 05:31:24 pkispawn    : INFO     ........... waiting for server to start (58s)
      2018-04-20 05:31:25 pkispawn    : INFO     ........... waiting for server to start (59s)
      2018-04-20 05:31:26 pkispawn    : ERROR    ........... server did not start after 60s
      2018-04-20 05:31:26 pkispawn    : ERROR    ....... server failed to restart
      2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Type: Exception
      2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Message: server failed to restart
      2018-04-20 05:31:26 pkispawn    : DEBUG    .......   File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
          scriptlet.spawn(deployer)
        File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
          raise Exception("server failed to restart")

  3. Tomcat services appear to be running

  systemctl -l status pki-tomcatd
  ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
     Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
     Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
      Tasks: 98 (limit: 4915)
     CGroup: /system.slice/pki-tomcatd.service
             └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.

  4. Trying to curl to ca endpoint results in no response error

  curl -k -v https://example.com:8443/ca
  *   Trying 10.5.8.88...
  * TCP_NODELAY set
  * Connected to example.com (10.5.8.88) port 8443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * successfully set certificate verify locations:
  *   CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
  * Closing connection 0
  curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions

References

  Thread PreviousDate PreviousThread Next