freeipa team mailing list archive

Thread
Date
[Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: gianluca <amato@xxxxxxxxxxxx>
Date: Sat, 05 May 2018 20:01:35 -0000
Reply-to: Bug 1765616 <1765616@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Now I have another problem. ipa-server-install stops at step "[19/21]:
starting httpd" of HTTP configuration. From my investigation, it seems
that the problem is that the SSL private key in
/var/lib/ipa/private/httpd.key has a passphrase, saved in
/var/lib/ipa/<host>-443-RSA. The passphrase is correct (I checked with
openssl), but Apache does not find it. These are the messages I get in
/var/log/apache2/error.log:

[Sat May 05 19:02:57.836869 2018] [mpm_event:notice] [pid 967:tid 140026405403584] AH00491: caught SIGTERM, shutting down
[Sat May 05 19:03:10.609244 2018] [ssl:emerg] [pid 6154:tid 140498019421120] AH02580: Init: Pass phrase incorrect for key ipa.labeconomia.unich.it:443:0
[Sat May 05 19:03:10.609443 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat May 05 19:03:10.609465 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Sat May 05 19:03:10.609481 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat May 05 19:03:10.609498 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
[Sat May 05 19:03:10.609514 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Sat May 05 19:03:10.609530 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sat May 05 19:03:10.609546 2018] [ssl:emerg] [pid 6154:tid 140498019421120] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sat May 05 19:03:10.609564 2018] [ssl:emerg] [pid 6154:tid 140498019421120] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Sat May 05 19:03:10.609576 2018] [ssl:emerg] [pid 6154:tid 140498019421120] AH02564: Failed to configure encrypted (?) private key ipa.labeconomia.unich.it:443:0, check /var/lib/ipa/private/httpd.key

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  In Progress
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed
Status in tomcat8 package in Debian:
  New

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
        [1/28]: configuring certificate server instance
      ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n")
      ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
      ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
        [error] RuntimeError: CA configuration failed.
      ipapython.admintool: ERROR    CA configuration failed.
      ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions
References

[Bug 1765616] [NEW] freeipa server install fails - RuntimeError: CA configuration failed.
From: Juan Tobon, 2018-04-20