freeipa team mailing list archive

Thread
Date

[Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1769440@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Aug 2018 12:27:03 -0000
Reply-to: Bug 1769440 <1769440@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

> Looks like bind9 is fixed! Install completes with no issues and named-
pks11 runs without crashing.

Great! Thank you for the report.

I'm not sure this bug was ever clear on exactly what the problem was
with bind9, in terms of bind9. And if it is now fixed, I don't know when
it was fixed. So I'll mark the bind9 task Incomplete for now. If someone
wants to describe the bind9 bug in terms of bind9 itself, and/or
describe when it was fixed, we can update the status appropriately.

** Changed in: bind9 (Ubuntu)
       Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Incomplete
Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERROR    Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
      method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
      passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
      raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions

References

[Bug 1769440] [NEW] freeipa server install fails - Configuring the web interface, setting up ssl
From: keestux, 2018-05-06