Bug 1202759
Summary: | ipa-server-install fails with tomcat6-6.0.24-84.el6 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrik Kis <pkis> |
Component: | tomcat6 | Assignee: | David Knox <dknox> |
Status: | CLOSED ERRATA | QA Contact: | tomcat-qe |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.7 | CC: | jclere, mbabacek, mkosek, rhatlapa, tlavigne |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
After upgrading from tomcat6-6.0.24-83 to tomcat6-6.0.24-84, it was not possible to install the IPA server with tomcat6-6.0.24-84, and the "Failed to restart the certificate server" message was displayed. A fix has been applied, and the IPA server can now be installed successfully in this situation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 07:27:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Patrik Kis
2015-03-17 12:09:08 UTC
Description of problem: With tomcat6-6.0.24-84 ipa-server-install fails in: restarting certificate server ipa : CRITICAL Failed to restart the certificate server. See the installation log for details. I was not able to dig more into the details what exactly causing the problem, but it definitely appearing when tomcat6 is upgraded from tomcat6-6.0.24-83 to tomcat6-6.0.24-84. Version-Release number of selected component (if applicable): tomcat6-6.0.24-84 ipa-server-3.0.0-42.el6 pki-ca-9.0.3-37.el6 How reproducible: always Steps to Reproduce: # ipa-server-install --setup-dns --ip-address $IP_ADDR --no-forwarders --hostname=`hostname` -r testrealm -p Secret123 -P Secret123 -a Secret123 --unattended The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host hp-dl360g5-01.rhts.eng.bos.redhat.com The domain name has been determined based on the host name. Using reverse zone 64.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: hp-dl360g5-01.rhts.eng.bos.redhat.com IP address: 10.16.64.208 Domain name: rhts.eng.bos.redhat.com Realm name: TESTREALM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 64.16.10.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server ipa : CRITICAL Failed to restart the certificate server. See the installation log for details. [16/21]: requesting RA certificate from CA [Errno 111] Connection refused # # # tail -100 /var/log/ipaserver-install.log 2015-03-17T11:42:17Z DEBUG [15/21]: restarting certificate server 2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad restart pki-ca 2015-03-17T11:42:20Z DEBUG stdout=Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] 2015-03-17T11:42:20Z DEBUG stderr= 2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad status pki-ca 2015-03-17T11:42:20Z DEBUG stdout=pki-ca (pid 22504) is running...[ OK ] Unsecure Port = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca Secure Agent Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca Secure EE Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca Secure Admin Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443 ========================================================================== 2015-03-17T11:42:20Z DEBUG stderr= 2015-03-17T11:42:20Z DEBUG wait_for_open_ports: localhost [9180, 9443, 9444] timeout 300 2015-03-17T11:47:20Z CRITICAL Failed to restart the certificate server. See the installation log for details. 2015-03-17T11:47:20Z DEBUG duration: 303 seconds 2015-03-17T11:47:20Z DEBUG [16/21]: requesting RA certificate from CA 2015-03-17T11:47:21Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=TESTREALM -z /tmp/tmpLeVAZX -a 2015-03-17T11:47:21Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: TESTREALM State: (not specified) Country: (not specified) -----BEGIN NEW CERTIFICATE REQUEST----- MIICajCCAVICAQAwJTESMBAGA1UEChMJVEVTVFJFQUxNMQ8wDQYDVQQDEwZJUEEg UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3AALKdIhThtKhGz5/ AOxWaDfagfFTXObQq9nCn0eOVNx4YizedwxZiJTpP0fHhi0uy/0uCYeyV2lVZkWK qayLiiwmVljkOrB3ypOnquaEHFi9FsimffWj8bshK3SUFUE55gTJ0mvYnWMoJnDA JGUO5yjFajyT8v2k/SZ99drJ2KfY5FkZs2wWTaAtyRJhtvILh3AzoJrayB2hyU1A fwuIg1iN3E0n9LBVx6y5VyhUAGnAdWlZZ0GhedfPwcVEvaYdjc6AjDOIyQMwYKuJ 8txON2AXDeuQ4wJNT01nmhVlwqz3bdmjBANCJLHdOpl7HC7/s2hl1m0Ib8aotUxl t4t1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEANth7aP43btK6/0Q5Nun4BFQi 24nn7MtyEfm9NplkB1UukwYtOOBFZVnU+RMC+URvked7dkn4k/XjLNxO0g3OeIi0 3gWf9B9ArGRgcp8trL2+XpPOq6rWkm3mH2p2tld/Cal1wlzkwBrzOMsS2g7UkY3W IYpuRb0rxmK3F0uz3xYTI/Iyl94BmLN9g1JQWnCK1TI5EDQc0CWEDOQxsbMAXMk3 l32cykmunQnmNIKF0/s2aTzZSVUU8NGaCdmxKdJ4Qvk06gMY2HdIEAIQwDd4DiHE Y33WlK/7RyOFebF1NPguij4CSMhT/v/SD8GXB7xcNBFwRSnBjNfK+hVR6EM51Q== -----END NEW CERTIFICATE REQUEST----- 2015-03-17T11:47:21Z DEBUG stderr= Generating key. This may take a few moments... 2015-03-17T11:47:21Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1200, in __request_ra_certificate conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers) File "/usr/lib64/python2.6/httplib.py", line 914, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 739, in send self.connect() File "/usr/lib64/python2.6/httplib.py", line 720, in connect self.timeout) File "/usr/lib64/python2.6/socket.py", line 567, in create_connection raise error, msg 2015-03-17T11:47:21Z INFO The ipa-server-install command failed, exception: error: [Errno 111] Connection refused # # service pki-cad status pki-ca pki-ca (pid 22504) is running...[ OK ] Unsecure Port = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca Secure Agent Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca Secure EE Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca Secure Admin Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443 ========================================================================== # netstat -putna |grep -e 9180 -e 9443 -e 9444 # The same reproducer on system with tomcat6-6.0.24-83: # service pki-cad status pki-ca pki-ca (pid 18468) is running...[ OK ] Unsecure Port = http://sheep-12.lab.eng.brq.redhat.com:9180/ca/ee/ca Secure Agent Port = https://sheep-12.lab.eng.brq.redhat.com:9443/ca/agent/ca Secure EE Port = https://sheep-12.lab.eng.brq.redhat.com:9444/ca/ee/ca Secure Admin Port = https://sheep-12.lab.eng.brq.redhat.com:9445/ca/services EE Client Auth Port = https://sheep-12.lab.eng.brq.redhat.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://sheep-12.lab.eng.brq.redhat.com:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://sheep-12.lab.eng.brq.redhat.com:443 ========================================================================== # netstat -putna |grep -e 9180 -e 9443 -e 9444 tcp 0 0 :::9180 :::* LISTEN 18468/java tcp 0 0 :::9443 :::* LISTEN 18468/java tcp 0 0 :::9444 :::* LISTEN 18468/java The reproduction steps tried with tomcat6-6.0.24-83.el6, tomcat6-6.0.24-84.el6 and tomcat6-6.0.24-90.el6. We were able to reproduce failing of CA server on tomcat6-6.0.24-84.el6 and verified that the installation works with the other two tomcat versions. Thanks Milan (mkubik) for his help verifying this BZ. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1461.html |