Bug 1440232

Description of problem:
ipa-kra-install command failed

ipa KRA install log:
2017-04-07T15:12:41Z DEBUG Starting external process
2017-04-07T15:12:41Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp9SX5Dv
2017-04-07T15:12:43Z DEBUG Process finished, return code=1
2017-04-07T15:12:43Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20170407171242.log
Loading deployment configuration from /tmp/tmp9SX5Dv.
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.
Importing certificates from /tmp/tmpKtiUUq:

Installation failed: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-cert-find', '--pkcs12-file', '/tmp/tmpKtiUUq', '--pkcs12-password-file', '/tmp/tmpc3DiEM/passwo
rd.txt']' returned non-zero exit status 255


2017-04-07T15:12:43Z DEBUG stderr=Error: Incorrect client security database password.

2017-04-07T15:12:43Z CRITICAL Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp9SX5Dv' returned non-zero exit status 1
2017-04-07T15:12:43Z CRITICAL See the installation logs and the following files/directories for more information:
2017-04-07T15:12:43Z CRITICAL   /var/log/pki/pki-tomcat
2017-04-07T15:12:43Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 282, in __spawn_instance
    nolog_list=(self.dm_password, self.admin_password, pki_pin)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 395, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: KRA configuration failed.


pki-kra-spawn.log
2017-04-07 17:12:43 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2017-04-07 17:12:43 pkispawn    : DEBUG    ....... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-cert-find', '--pkcs12-file', '/tmp/tmpKtiUUq', '--pkcs12-password-file', '/tmp/tmpc3DiEM/password.txt']' returned non-zero exit status 255
2017-04-07 17:12:43 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 500, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 146, in spawn
    pkcs12.show_certs()
  File "/usr/lib/python2.7/site-packages/pki/pkcs12.py", line 73, in show_certs
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)

Because I see upstream KRA tests green, I assume this is broken only in RHEL.

selinux is in permissive mode

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-4.el7.x86_64
pki-kra-10.4.1-1.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install --setup-kra
2. ipa-replica-install
3. ipa-kra-install (on replica)

Actual results:
KRA installation failed

Expected results:
KRA to be installed

Additional info: