← Back to team overview

freeipa team mailing list archive

[Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

 

** Description changed:

- DESCRIPTION
+ [Impact]
  
  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.
  
  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
-       [1/28]: configuring certificate server instance
-     ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
-     ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
-     ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
-       [error] RuntimeError: CA configuration failed.
-     ipapython.admintool: ERROR    CA configuration failed.
-     ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
+       [1/28]: configuring certificate server instance
+     ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
+     ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
+     ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
+       [error] RuntimeError: CA configuration failed.
+     ipapython.admintool: ERROR    CA configuration failed.
+     ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
  
- ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:
+ The cause for this is that tomcat8 is built with JDK9 and is not
+ compatible with instances that have to use JRE8 for other reasons.
  
-     https://pagure.io/dogtagpki/issue/2973
-     https://pagure.io/freeipa/issue/7464
+ [Test Case]
  
- SYSTEM INFORMATION:
+ Install freeipa-server, run ipa-server-install.
  
- $ lsb_release -a
- No LSB modules are available.
- Distributor ID:	Ubuntu
- Description:	Ubuntu Bionic Beaver (development branch)
- Release:	18.04
- Codename:	bionic
+ [Regression Potential]
  
- $ sudo dpkg -l | grep freeipa
-     ii  freeipa-client                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- client
-     ii  freeipa-common                           4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- common files
-     ii  freeipa-server                           4.7.0~pre1+git20180411-2ubuntu1   amd64        FreeIPA centralized identity framework -- server
-     ii  freeipa-server-dns                       4.7.0~pre1+git20180411-2ubuntu1   all          FreeIPA centralized identity framework -- IPA DNS integration
+ The fix is a fairly big patch for tomcat8 to modify the code so that it
+ runs with JRE8. It passes the upstream test suite though, when run with
+ JRE8 though tomcat itself was built with the default JDK.
  
- $ sudo dpkg -l | grep dogtag
-     ii  dogtag-pki                               10.6.0-1ubuntu1                   all          Dogtag Public Key Infrastructure (PKI) Suite
-     ii  dogtag-pki-console-theme                 10.6.0-1ubuntu1                   all          Certificate System - PKI Console User Interface
-     ii  dogtag-pki-server-theme                  10.6.0-1ubuntu1                   all          Certificate System - PKI Server User Interface
+ [Other info]
  
- TO REPRODUCE:
- 
- 1. install freeipa-server and freeipa-server-dns
- 2. the following installation options (note I have changed confidential details).
- 
- sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p
- XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-
- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty
- Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp
- 
- RESULTS
- 
- 1. The above error is produced. 
- 2. the pkispawn logs show it waiting for the server and timing out.
- 
-    2018-04-20 05:30:19 pkispawn    : INFO     ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
-     2018-04-20 05:30:26 pkispawn    : INFO     ........... checking https://example.com:8443/ca
-     2018-04-20 05:30:27 pkispawn    : INFO     ........... waiting for server to start (1s)
-     2018-04-20 05:30:28 pkispawn    : INFO     ........... waiting for server to start (2s)
-     2018-04-20 05:30:29 pkispawn    : INFO     ........... waiting for server to start (3s)
-     2018-04-20 05:30:30 pkispawn    : INFO     ........... waiting for server to start (4s)
-     2018-04-20 05:30:31 pkispawn    : INFO     ........... waiting for server to start (5s)
- 
- ...
- 
-     2018-04-20 05:31:22 pkispawn    : INFO     ........... waiting for server to start (56s)
-     2018-04-20 05:31:23 pkispawn    : INFO     ........... waiting for server to start (57s)
-     2018-04-20 05:31:24 pkispawn    : INFO     ........... waiting for server to start (58s)
-     2018-04-20 05:31:25 pkispawn    : INFO     ........... waiting for server to start (59s)
-     2018-04-20 05:31:26 pkispawn    : ERROR    ........... server did not start after 60s
-     2018-04-20 05:31:26 pkispawn    : ERROR    ....... server failed to restart
-     2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Type: Exception
-     2018-04-20 05:31:26 pkispawn    : DEBUG    ....... Error Message: server failed to restart
-     2018-04-20 05:31:26 pkispawn    : DEBUG    .......   File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
-         scriptlet.spawn(deployer)
-       File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
-         raise Exception("server failed to restart")
- 
- 3. Tomcat services appear to be running
- 
- systemctl -l status pki-tomcatd
- ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
-    Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
-    Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
-      Docs: man:systemd-sysv-generator(8)
-   Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
-     Tasks: 98 (limit: 4915)
-    CGroup: /system.slice/pki-tomcatd.service
-            └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.
- 
- 4. Trying to curl to ca endpoint results in no response error
- 
- curl -k -v https://example.com:8443/ca
- *   Trying 10.5.8.88...
- * TCP_NODELAY set
- * Connected to example.com (10.5.8.88) port 8443 (#0)
- * ALPN, offering h2
- * ALPN, offering http/1.1
- * successfully set certificate verify locations:
- *   CAfile: /etc/ssl/certs/ca-certificates.crt
-   CApath: /etc/ssl/certs
- * TLSv1.2 (OUT), TLS handshake, Client hello (1):
- * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
- * Closing connection 0
- curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
+ Patch will be sent upstream too.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  In Progress
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed
Status in tomcat8 package in Debian:
  Unknown

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
        [1/28]: configuring certificate server instance
      ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
      ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
      ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
        [error] RuntimeError: CA configuration failed.
      ipapython.admintool: ERROR    CA configuration failed.
      ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions


References