Bug 1202759
| Summary: | ipa-server-install fails with tomcat6-6.0.24-84.el6 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrik Kis <pkis> |
| Component: | tomcat6 | Assignee: | David Knox <dknox> |
| Status: | CLOSED ERRATA | QA Contact: | tomcat-qe |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.7 | CC: | jclere, mbabacek, mkosek, rhatlapa, tlavigne |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
After upgrading from tomcat6-6.0.24-83 to tomcat6-6.0.24-84, it was not possible to install the IPA server with tomcat6-6.0.24-84, and the "Failed to restart the certificate server" message was displayed. A fix has been applied, and the IPA server can now be installed successfully in this situation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 07:27:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Patrik Kis
2015-03-17 12:09:08 UTC
Description of problem:
With tomcat6-6.0.24-84 ipa-server-install fails in:
restarting certificate server
ipa : CRITICAL Failed to restart the certificate server. See the installation log for details.
I was not able to dig more into the details what exactly causing the problem, but it definitely appearing when tomcat6 is upgraded from tomcat6-6.0.24-83 to tomcat6-6.0.24-84.
Version-Release number of selected component (if applicable):
tomcat6-6.0.24-84
ipa-server-3.0.0-42.el6
pki-ca-9.0.3-37.el6
How reproducible:
always
Steps to Reproduce:
# ipa-server-install --setup-dns --ip-address $IP_ADDR --no-forwarders --hostname=`hostname` -r testrealm -p Secret123 -P Secret123 -a Secret123 --unattended
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: skipping DNS resolution of host hp-dl360g5-01.rhts.eng.bos.redhat.com
The domain name has been determined based on the host name.
Using reverse zone 64.16.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: hp-dl360g5-01.rhts.eng.bos.redhat.com
IP address: 10.16.64.208
Domain name: rhts.eng.bos.redhat.com
Realm name: TESTREALM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 64.16.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/21]: creating certificate server user
[2/21]: creating pki-ca instance
[3/21]: configuring certificate server instance
[4/21]: disabling nonces
[5/21]: creating CA agent PKCS#12 file in /root
[6/21]: creating RA agent certificate database
[7/21]: importing CA chain to RA certificate database
[8/21]: fixing RA database permissions
[9/21]: setting up signing cert profile
[10/21]: set up CRL publishing
[11/21]: set certificate subject base
[12/21]: enabling Subject Key Identifier
[13/21]: setting audit signing renewal to 2 years
[14/21]: configuring certificate server to start on boot
[15/21]: restarting certificate server
ipa : CRITICAL Failed to restart the certificate server. See the installation log for details.
[16/21]: requesting RA certificate from CA
[Errno 111] Connection refused
#
#
# tail -100 /var/log/ipaserver-install.log
2015-03-17T11:42:17Z DEBUG [15/21]: restarting certificate server
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad restart pki-ca
2015-03-17T11:42:20Z DEBUG stdout=Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]
2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad status pki-ca
2015-03-17T11:42:20Z DEBUG stdout=pki-ca (pid 22504) is running...[ OK ]
Unsecure Port = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
Secure Agent Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
Secure EE Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
Secure Admin Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
==========================================================================
2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG wait_for_open_ports: localhost [9180, 9443, 9444] timeout 300
2015-03-17T11:47:20Z CRITICAL Failed to restart the certificate server. See the installation log for details.
2015-03-17T11:47:20Z DEBUG duration: 303 seconds
2015-03-17T11:47:20Z DEBUG [16/21]: requesting RA certificate from CA
2015-03-17T11:47:21Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=TESTREALM -z /tmp/tmpLeVAZX -a
2015-03-17T11:47:21Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: IPA RA
Email: (not specified)
Organization: TESTREALM
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTESMBAGA1UEChMJVEVTVFJFQUxNMQ8wDQYDVQQDEwZJUEEg
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3AALKdIhThtKhGz5/
AOxWaDfagfFTXObQq9nCn0eOVNx4YizedwxZiJTpP0fHhi0uy/0uCYeyV2lVZkWK
qayLiiwmVljkOrB3ypOnquaEHFi9FsimffWj8bshK3SUFUE55gTJ0mvYnWMoJnDA
JGUO5yjFajyT8v2k/SZ99drJ2KfY5FkZs2wWTaAtyRJhtvILh3AzoJrayB2hyU1A
fwuIg1iN3E0n9LBVx6y5VyhUAGnAdWlZZ0GhedfPwcVEvaYdjc6AjDOIyQMwYKuJ
8txON2AXDeuQ4wJNT01nmhVlwqz3bdmjBANCJLHdOpl7HC7/s2hl1m0Ib8aotUxl
t4t1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEANth7aP43btK6/0Q5Nun4BFQi
24nn7MtyEfm9NplkB1UukwYtOOBFZVnU+RMC+URvked7dkn4k/XjLNxO0g3OeIi0
3gWf9B9ArGRgcp8trL2+XpPOq6rWkm3mH2p2tld/Cal1wlzkwBrzOMsS2g7UkY3W
IYpuRb0rxmK3F0uz3xYTI/Iyl94BmLN9g1JQWnCK1TI5EDQc0CWEDOQxsbMAXMk3
l32cykmunQnmNIKF0/s2aTzZSVUU8NGaCdmxKdJ4Qvk06gMY2HdIEAIQwDd4DiHE
Y33WlK/7RyOFebF1NPguij4CSMhT/v/SD8GXB7xcNBFwRSnBjNfK+hVR6EM51Q==
-----END NEW CERTIFICATE REQUEST-----
2015-03-17T11:47:21Z DEBUG stderr=
Generating key. This may take a few moments...
2015-03-17T11:47:21Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 942, in main
subject_base=options.subject)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1200, in __request_ra_certificate
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
File "/usr/lib64/python2.6/httplib.py", line 914, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
self.endheaders()
File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
self._send_output()
File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
self.send(msg)
File "/usr/lib64/python2.6/httplib.py", line 739, in send
self.connect()
File "/usr/lib64/python2.6/httplib.py", line 720, in connect
self.timeout)
File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
raise error, msg
2015-03-17T11:47:21Z INFO The ipa-server-install command failed, exception: error: [Errno 111] Connection refused
#
# service pki-cad status pki-ca
pki-ca (pid 22504) is running...[ OK ]
Unsecure Port = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
Secure Agent Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
Secure EE Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
Secure Admin Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
#
The same reproducer on system with tomcat6-6.0.24-83:
# service pki-cad status pki-ca
pki-ca (pid 18468) is running...[ OK ]
Unsecure Port = http://sheep-12.lab.eng.brq.redhat.com:9180/ca/ee/ca
Secure Agent Port = https://sheep-12.lab.eng.brq.redhat.com:9443/ca/agent/ca
Secure EE Port = https://sheep-12.lab.eng.brq.redhat.com:9444/ca/ee/ca
Secure Admin Port = https://sheep-12.lab.eng.brq.redhat.com:9445/ca/services
EE Client Auth Port = https://sheep-12.lab.eng.brq.redhat.com:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://sheep-12.lab.eng.brq.redhat.com:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://sheep-12.lab.eng.brq.redhat.com:443
==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
tcp 0 0 :::9180 :::* LISTEN 18468/java
tcp 0 0 :::9443 :::* LISTEN 18468/java
tcp 0 0 :::9444 :::* LISTEN 18468/java
The reproduction steps tried with tomcat6-6.0.24-83.el6, tomcat6-6.0.24-84.el6 and tomcat6-6.0.24-90.el6. We were able to reproduce failing of CA server on tomcat6-6.0.24-84.el6 and verified that the installation works with the other two tomcat versions. Thanks Milan (mkubik) for his help verifying this BZ. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1461.html |