Bug 1202759

Summary: ipa-server-install fails with tomcat6-6.0.24-84.el6
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: tomcat6Assignee: David Knox <dknox>
Status: CLOSED ERRATA QA Contact: tomcat-qe
Severity: high Docs Contact:
Priority: high    
Version: 6.7CC: jclere, mbabacek, mkosek, rhatlapa, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
After upgrading from tomcat6-6.0.24-83 to tomcat6-6.0.24-84, it was not possible to install the IPA server with tomcat6-6.0.24-84, and the "Failed to restart the certificate server" message was displayed. A fix has been applied, and the IPA server can now be installed successfully in this situation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 07:27:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrik Kis 2015-03-17 12:09:08 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Patrik Kis 2015-03-17 12:17:39 UTC
Description of problem:

With tomcat6-6.0.24-84 ipa-server-install fails in:
 restarting certificate server
ipa         : CRITICAL Failed to restart the certificate server. See the installation log for details.

I was not able to dig more into the details what exactly causing the problem, but it definitely appearing when tomcat6 is upgraded from tomcat6-6.0.24-83 to tomcat6-6.0.24-84.

Version-Release number of selected component (if applicable):
tomcat6-6.0.24-84

ipa-server-3.0.0-42.el6
pki-ca-9.0.3-37.el6

How reproducible:
always

Steps to Reproduce:

# ipa-server-install --setup-dns --ip-address $IP_ADDR --no-forwarders --hostname=`hostname` -r testrealm -p Secret123 -P Secret123 -a Secret123 --unattended 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host hp-dl360g5-01.rhts.eng.bos.redhat.com
The domain name has been determined based on the host name.

Using reverse zone 64.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      hp-dl360g5-01.rhts.eng.bos.redhat.com
IP address:    10.16.64.208
Domain name:   rhts.eng.bos.redhat.com
Realm name:    TESTREALM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  64.16.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
ipa         : CRITICAL Failed to restart the certificate server. See the installation log for details.
  [16/21]: requesting RA certificate from CA
[Errno 111] Connection refused
#
#
# tail -100 /var/log/ipaserver-install.log 
2015-03-17T11:42:17Z DEBUG   [15/21]: restarting certificate server
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad restart pki-ca
2015-03-17T11:42:20Z DEBUG stdout=Stopping pki-ca: [  OK  ]
Starting pki-ca: [  OK  ]

2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad status pki-ca
2015-03-17T11:42:20Z DEBUG stdout=pki-ca (pid 22504) is running...[  OK  ]
    Unsecure Port       = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
    EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
    ==========================================================================

2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG wait_for_open_ports: localhost [9180, 9443, 9444] timeout 300
2015-03-17T11:47:20Z CRITICAL Failed to restart the certificate server. See the installation log for details.
2015-03-17T11:47:20Z DEBUG   duration: 303 seconds
2015-03-17T11:47:20Z DEBUG   [16/21]: requesting RA certificate from CA
2015-03-17T11:47:21Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=TESTREALM -z /tmp/tmpLeVAZX -a
2015-03-17T11:47:21Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: TESTREALM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTESMBAGA1UEChMJVEVTVFJFQUxNMQ8wDQYDVQQDEwZJUEEg
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3AALKdIhThtKhGz5/
AOxWaDfagfFTXObQq9nCn0eOVNx4YizedwxZiJTpP0fHhi0uy/0uCYeyV2lVZkWK
qayLiiwmVljkOrB3ypOnquaEHFi9FsimffWj8bshK3SUFUE55gTJ0mvYnWMoJnDA
JGUO5yjFajyT8v2k/SZ99drJ2KfY5FkZs2wWTaAtyRJhtvILh3AzoJrayB2hyU1A
fwuIg1iN3E0n9LBVx6y5VyhUAGnAdWlZZ0GhedfPwcVEvaYdjc6AjDOIyQMwYKuJ
8txON2AXDeuQ4wJNT01nmhVlwqz3bdmjBANCJLHdOpl7HC7/s2hl1m0Ib8aotUxl
t4t1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEANth7aP43btK6/0Q5Nun4BFQi
24nn7MtyEfm9NplkB1UukwYtOOBFZVnU+RMC+URvked7dkn4k/XjLNxO0g3OeIi0
3gWf9B9ArGRgcp8trL2+XpPOq6rWkm3mH2p2tld/Cal1wlzkwBrzOMsS2g7UkY3W
IYpuRb0rxmK3F0uz3xYTI/Iyl94BmLN9g1JQWnCK1TI5EDQc0CWEDOQxsbMAXMk3
l32cykmunQnmNIKF0/s2aTzZSVUU8NGaCdmxKdJ4Qvk06gMY2HdIEAIQwDd4DiHE
Y33WlK/7RyOFebF1NPguij4CSMhT/v/SD8GXB7xcNBFwRSnBjNfK+hVR6EM51Q==
-----END NEW CERTIFICATE REQUEST-----

2015-03-17T11:47:21Z DEBUG stderr=

Generating key.  This may take a few moments...


2015-03-17T11:47:21Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 942, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1200, in __request_ra_certificate
    conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)

  File "/usr/lib64/python2.6/httplib.py", line 914, in request
    self._send_request(method, url, body, headers)

  File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
    self.endheaders()

  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()

  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)

  File "/usr/lib64/python2.6/httplib.py", line 739, in send
    self.connect()

  File "/usr/lib64/python2.6/httplib.py", line 720, in connect
    self.timeout)

  File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
    raise error, msg

2015-03-17T11:47:21Z INFO The ipa-server-install command failed, exception: error: [Errno 111] Connection refused
#
# service pki-cad status pki-ca
pki-ca (pid 22504) is running...[  OK  ]
    Unsecure Port       = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
    EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
    ==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
#


The same reproducer on system with tomcat6-6.0.24-83:


# service pki-cad status pki-ca
pki-ca (pid 18468) is running...[  OK  ]
    Unsecure Port       = http://sheep-12.lab.eng.brq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://sheep-12.lab.eng.brq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://sheep-12.lab.eng.brq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://sheep-12.lab.eng.brq.redhat.com:9445/ca/services
    EE Client Auth Port = https://sheep-12.lab.eng.brq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://sheep-12.lab.eng.brq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://sheep-12.lab.eng.brq.redhat.com:443
    ==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
tcp        0      0 :::9180                     :::*                        LISTEN      18468/java          
tcp        0      0 :::9443                     :::*                        LISTEN      18468/java          
tcp        0      0 :::9444                     :::*                        LISTEN      18468/java

Comment 10 Radim Hatlapatka 2015-06-08 13:55:33 UTC
The reproduction steps tried with tomcat6-6.0.24-83.el6, tomcat6-6.0.24-84.el6 and tomcat6-6.0.24-90.el6.

We were able to reproduce failing of CA server on tomcat6-6.0.24-84.el6 and verified that the installation works with the other two tomcat versions. Thanks Milan (mkubik) for his help verifying this BZ.

Comment 12 errata-xmlrpc 2015-07-22 07:27:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1461.html