freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00633
[Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Description changed:
- DESCRIPTION
+ [Impact]
The issue occurs while installing IPA server. More specifically whist
configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
- [1/28]: configuring certificate server instance
- ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
- ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
- ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
- [error] RuntimeError: CA configuration failed.
- ipapython.admintool: ERROR CA configuration failed.
- ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
+ [1/28]: configuring certificate server instance
+ ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
+ ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
+ ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
+ [error] RuntimeError: CA configuration failed.
+ ipapython.admintool: ERROR CA configuration failed.
+ ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
- ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:
+ The cause for this is that tomcat8 is built with JDK9 and is not
+ compatible with instances that have to use JRE8 for other reasons.
- https://pagure.io/dogtagpki/issue/2973
- https://pagure.io/freeipa/issue/7464
+ [Test Case]
- SYSTEM INFORMATION:
+ Install freeipa-server, run ipa-server-install.
- $ lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu Bionic Beaver (development branch)
- Release: 18.04
- Codename: bionic
+ [Regression Potential]
- $ sudo dpkg -l | grep freeipa
- ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- client
- ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files
- ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- server
- ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration
+ The fix is a fairly big patch for tomcat8 to modify the code so that it
+ runs with JRE8. It passes the upstream test suite though, when run with
+ JRE8 though tomcat itself was built with the default JDK.
- $ sudo dpkg -l | grep dogtag
- ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite
- ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface
- ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface
+ [Other info]
- TO REPRODUCE:
-
- 1. install freeipa-server and freeipa-server-dns
- 2. the following installation options (note I have changed confidential details).
-
- sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p
- XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-
- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty
- Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp
-
- RESULTS
-
- 1. The above error is produced.
- 2. the pkispawn logs show it waiting for the server and timing out.
-
- 2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
- 2018-04-20 05:30:26 pkispawn : INFO ........... checking https://example.com:8443/ca
- 2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s)
- 2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s)
- 2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s)
- 2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s)
- 2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s)
-
- ...
-
- 2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s)
- 2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s)
- 2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s)
- 2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s)
- 2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s
- 2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart
- 2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception
- 2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart
- 2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
- scriptlet.spawn(deployer)
- File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
- raise Exception("server failed to restart")
-
- 3. Tomcat services appear to be running
-
- systemctl -l status pki-tomcatd
- ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
- Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
- Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
- Docs: man:systemd-sysv-generator(8)
- Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
- Tasks: 98 (limit: 4915)
- CGroup: /system.slice/pki-tomcatd.service
- └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.
-
- 4. Trying to curl to ca endpoint results in no response error
-
- curl -k -v https://example.com:8443/ca
- * Trying 10.5.8.88...
- * TCP_NODELAY set
- * Connected to example.com (10.5.8.88) port 8443 (#0)
- * ALPN, offering h2
- * ALPN, offering http/1.1
- * successfully set certificate verify locations:
- * CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- * TLSv1.2 (OUT), TLS handshake, Client hello (1):
- * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
- * Closing connection 0
- curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
+ Patch will be sent upstream too.
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616
Title:
freeipa server install fails - RuntimeError: CA configuration failed.
Status in freeipa package in Ubuntu:
Invalid
Status in tomcat8 package in Ubuntu:
In Progress
Status in freeipa source package in Bionic:
Invalid
Status in tomcat8 source package in Bionic:
Confirmed
Status in tomcat8 package in Debian:
Unknown
Bug description:
[Impact]
The issue occurs while installing IPA server. More specifically whist
configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The cause for this is that tomcat8 is built with JDK9 and is not
compatible with instances that have to use JRE8 for other reasons.
[Test Case]
Install freeipa-server, run ipa-server-install.
[Regression Potential]
The fix is a fairly big patch for tomcat8 to modify the code so that
it runs with JRE8. It passes the upstream test suite though, when run
with JRE8 though tomcat itself was built with the default JDK.
[Other info]
Patch will be sent upstream too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions
References