Bug 1707009
Summary: | pki-spawn fails installing IdM in FIPS mode | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Rob Crittenden <rcritten> | ||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | --- | CC: | ascheel, mharmsen | ||||
Target Milestone: | rc | ||||||
Target Release: | 8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-05-13 18:25:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This will be fixed in 8.1.0; marking as duplicate of 1673296. *** This bug has been marked as a duplicate of bug 1673296 *** |
Created attachment 1564575 [details] ca spawn log Description of problem: Installing IdM with a dogtag CA fails. Version-Release number of selected component (if applicable): ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64 pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch How reproducible: Every time Steps to Reproduce: 1.ipa-server-install -a password -p password -r EXAMPLE.TEST -U Actual results: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpmyy4ewti'] returned non-zero exit status 1: 'pkispawn : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:877)\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n') The CA cert database is in FIPS mode: # modutil -list -dbdir /var/lib/pki/pki-tomcat/alias Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.41 slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded slot: SoftHSM slot ID 0x0 token: uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2 -----------------------------------------------------------