freeipa team mailing list archive

Thread
Date
[Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <tjaalton@xxxxxxxxxx>
Date: Fri, 27 Apr 2018 13:20:44 -0000
Reply-to: Bug 1765616 <1765616@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: freeipa (Ubuntu)
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  New

Bug description:
  DESCRIPTION

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
        [1/28]: configuring certificate server instance
      ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
      ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
      ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
        [error] RuntimeError: CA configuration failed.
      ipapython.admintool: ERROR    CA configuration failed.
      ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:

      https://pagure.io/dogtagpki/issue/2973
      https://pagure.io/freeipa/issue/7464

  SYSTEM INFORMATION:

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID:	Ubuntu
  Description:	Ubuntu Bionic Beaver (development branch)
  Release:	18.04
  Codename:	bionic

  $ sudo dpkg -l | grep freeipa
      ii  freeipa-client                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- client
      ii  freeipa-common                           4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- common files
      ii  freeipa-server                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- server
      ii  freeipa-server-dns                       4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- IPA DNS integration

  $ sudo dpkg -l | grep dogtag
      ii  dogtag-pki                               10.6.0-1ubuntu1                   all          Dogtag Public Key Infrastructure (PKI) Suite
      ii  dogtag-pki-console-theme                 10.6.0-1ubuntu1                   all          Certificate System - PKI Console User Interface
      ii  dogtag-pki-server-theme                  10.6.0-1ubuntu1                   all          Certificate System - PKI Server User Interface

  TO REPRODUCE:

  1. install freeipa-server and freeipa-server-dns
  2. the following installation options (note I have changed confidential details).

  sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p
  XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-
  algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty
  Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp

  RESULTS

  1. The above error is produced. 
  2. the pkispawn logs show it waiting for the server and timing out.

     2018-04-20 05:30:19 pkispawn    : INFO     ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
      2018-04-20 05:30:26 pkispawn    : INFO     ........... checking https://example.com:8443/ca
      2018-04-20 05:30:27 pkispawn    : INFO     ........... waiting for server to start (1s)
      2018-04-20 05:30:28 pkispawn    : INFO     ........... waiting for server to start (2s)
      2018-04-20 05:30:29 pkispawn    : INFO     ........... waiting for server to start (3s)
      2018-04-20 05:30:30 pkispawn    : INFO     ........... waiting for server to start (4s)
      2018-04-20 05:30:31 pkispawn    : INFO     ........... waiting for server to start (5s)

  ...

      2018-04-20 05:31:22 pkispawn    : INFO     ........... waiting for server to start (56s)
      2018-04-20 05:31:23 pkispawn    : INFO     ........... waiting for server to start (57s)
      2018-04-20 05:31:24 pkispawn    : INFO     ........... waiting for server to start (58s)
      2018-04-20 05:31:25 pkispawn    : INFO     ........... waiting for server to start (59s)
      2018-04-20 05:31:26 pkispawn    : ERROR    ........... server did not start after 60s
      2018-04-20 05:31:26 pkispawn    : ERROR    ....... server failed to restart
      2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Type: Exception
      2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Message: server failed to restart
      2018-04-20 05:31:26 pkispawn    : DEBUG    .......   File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
          scriptlet.spawn(deployer)
        File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
          raise Exception("server failed to restart")

  3. Tomcat services appear to be running

  systemctl -l status pki-tomcatd
  ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
     Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
     Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
      Tasks: 98 (limit: 4915)
     CGroup: /system.slice/pki-tomcatd.service
             └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.

  4. Trying to curl to ca endpoint results in no response error

  curl -k -v https://example.com:8443/ca
  *   Trying 10.5.8.88...
  * TCP_NODELAY set
  * Connected to example.com (10.5.8.88) port 8443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * successfully set certificate verify locations:
  *   CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
  * Closing connection 0
  curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions
References

[Bug 1765616] [NEW] freeipa server install fails - RuntimeError: CA configuration failed.
From: Juan Tobon, 2018-04-20