Bug 1358849
Summary: | CA replica install logs to wrong log file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | mbabinsk, pvoborni, rcritten, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.4.0-4.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:58:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2016-07-21 15:24:56 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1b8a36d134dd320896e05809cc6b49f725eadda7 Petr, Was this change reverted/undone? I tried ipa-ca-install with pki-tomcatd down on IPA master as well as with a version of pki-core with known issue. In both cases, I only saw: ...start truncated... [4/26]: creating installation admin user [5/26]: setting up certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDxqpZU' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. ...end... I don't see a mention of ipareplica-ca-install.log. Is that not shown in all cases? Any thoughts on how I might be able to force a failure that would show the log? Never mind, I found a way. Will post verification shortly. Verified. Version :: ipa-server-4.4.0-10.el7.x86_64 Results :: [root@vm2 ~]# chattr +i /tmp/ca.p12 [root@vm2 ~]# rm /tmp/ca.p12 rm: remove regular empty file ‘/tmp/ca.p12’? y rm: cannot remove ‘/tmp/ca.p12’: Operation not permitted [root@vm2 ~]# ipa-ca-install -p Secret123 -U Run connection check to master Connection check OK /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/26]: creating certificate server user [2/26]: creating certificate server db [3/26]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [4/26]: creating installation admin user [5/26]: setting up certificate server [error] IOError: [Errno 13] Permission denied: '/tmp/ca.p12' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: IOError: [Errno 13] Permission denied: '/tmp/ca.p12' forgot to mention before the chattr that I merely ran: touch /tmp/ca.p12 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |