Bug 1409786

Summary: Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ipaAssignee: fbarreto
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: enewland, fbarreto, frenaud, myusuf, ndehadra, pasik, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:40:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1405325    

Description Jan Pazdziora (Red Hat) 2017-01-03 11:25:12 UTC 
Description of problem:

When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fails with

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-14.el7_3.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U

Actual results:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

/var/log/ipaserver-install.log ends with

2017-01-03T11:17:54Z DEBUG Starting external process
2017-01-03T11:17:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_
2017-01-03T11:17:54Z DEBUG Process finished, return code=1
2017-01-03T11:17:54Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170103061754.log
Loading deployment configuration from /tmp/tmp9WqbH_.
ERROR:  Unable to access directory server: Can't contact LDAP server

2017-01-03T11:17:54Z DEBUG stderr=
2017-01-03T11:17:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
2017-01-03T11:17:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-01-03T11:17:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-01-03T11:17:54Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-01-03T11:17:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1357, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 773, in install
    ca.install_step_0(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 173, in install_step_0
    ca_signing_algorithm=options.ca_signing_algorithm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance
    self.start_creation(runtime=210)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2017-01-03T11:17:54Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z ERROR CA configuration failed.
2017-01-03T11:17:54Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

No error, the installer makes sure that anything that it needs to be running got started.

Additional info:

This causes problems especially in unattended container installations when completely new container is run for the second phase and the dirsrv is thus not up.
Comment 2 Petr Vobornik 2017-01-13 17:30:27 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6611
Comment 3 fbarreto 2017-07-27 11:45:34 UTC 
PR: https://github.com/freeipa/freeipa/pull/933
Comment 4 Tomas Krizek 2017-09-21 08:24:57 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/bf0b74bec4dc8b75a71d9e8d1374755a81d8b1df
Comment 6 Mohammad Rizwan 2018-01-10 06:23:50 UTC 
version:
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Actual result:
ipa install succeed. see attached console logs.

Thus marking bug as verified.
Comment 8 Florence Blanc-Renaud 2018-01-12 15:33:23 UTC 
Moving to assigned as the backport was missing from ipa-4-5
Comment 9 Florence Blanc-Renaud 2018-01-15 09:25:18 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/d20cac725fcf47ed581841a0b234bd6ce918b51d
Comment 13 Nikhil Dehadrai 2018-01-25 10:52:15 UTC 
IPA_SERVER-VERSION: ipa-server-4.5.4-9.el7.x86_64
DIRECTORY Server version: 389-ds-base-1.3.7.5-13.el7.x86_64

Verified the bug on the basis of following steps and observations:

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Observation:
1. ipa  server installation is successful.
2. No error messages are observed:

[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "Failed to configure CA instance"
[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "CA configuration failed"
[root@auto-hv-01-guest05 testdb]# 

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.
Comment 17 errata-xmlrpc 2018-04-10 16:40:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918