Bug 1795215
| Summary: | pkispawn interactive installation failed. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Gaurav Swami <gswami> |
| Component: | pki-core | Assignee: | Alex Scheel <ascheel> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 8.2 | CC: | aakkiang, ascheel, dmoluguw, dpunia, gkapoor, mharmsen, prisingh |
| Target Milestone: | rc | Keywords: | TestCaseProvided |
| Target Release: | 8.0 | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.6-8020020200219144652.c7c3114f | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 15:45:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gaurav Swami
2020-01-27 13:10:00 UTC
Also Failing with KRA installation in interactive mode:
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [pki2.example.com]:
Use a secure LDAPS connection (Yes/No/Quit) [N]? Y
Secure LDAPS Port [636]:
Directory Server CA certificate pem file: ds.crt
Bind DN [cn=Directory Manager]:
Password:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration
deployer.ds_connect()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect
self.ds_connection = ldap.initialize(self.ds_url)
File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize
return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__
self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call
result = func(*args,**kwargs)
TypeError: initialize() argument 1 must be str, not None
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 939, in <module>
main(sys.argv)
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 335, in main
verify_ds_configuration()
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 73, in verify_ds_configuration
deployer.ds_close()
File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 227, in ds_close
self.ds_connection.unbind_s()
AttributeError: 'NoneType' object has no attribute 'unbind_s'
Version:
[root@pki2 test_dir]# rpm -qi pki-kra
Name : pki-kra
Version : 10.8.0
Release : 0.5.module+el8.2.0+5469+26e16009
Architecture: noarch
Install Date: Tue 21 Jan 2020 03:03:29 AM EST
Group : Unspecified
Size : 536414
License : GPLv2 and LGPLv2
Signature : RSA/SHA256, Thu 16 Jan 2020 07:32:15 PM EST, Key ID 199e2f91fd431d51
Source RPM : pki-core-10.8.0-0.5.module+el8.2.0+5469+26e16009.src.rpm
Build Date : Thu 16 Jan 2020 05:44:55 PM EST
Build Host : arm64-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://www.dogtagpki.org/
Summary : PKI KRA Package
code is not getting server url for ds_connect. This looks to be an urgent bug. Thus raising priority so that it can be triaged. This bug has been fixed via following PRs and have been merged to upstream master (10.8): https://github.com/dogtagpki/pki/pull/321 https://github.com/dogtagpki/pki/pull/322 Commit Information: =================== commit afb708ff5e5fc7402f41170748a0214009821065 (HEAD -> master, origin/master, origin/HEAD) Author: Dinesh Prasanth M K <SilleBille.github.com> Date: Tue Feb 18 13:28:13 2020 -0500 Fix interactive installation for subsystems other than CA (#322) When doing an interactive installation, the pkispawn script tries to connect to Security Domain via `sd_connect` and attaches user credentials. At this point, the user has not been prompted for any credentials. So, the authentication happens with empty strings. As a result the interactive installation fails. This was not observed in non-interactive installation because all the info is provided via cfg file and is available in the dictionary at the time of execution. This patch moves the authentication logic from `sd_connect()` to `sd_login()` (ie) authenticate before trying to log in The bug was introduced in commit: 08ea62892a894553d8ceae200618c6fa8d7f0585 Resolves: BZ#1795215 Signed-off-by: Dinesh Prasanth M K <dmoluguw> commit 6e1779da72586af627a6c14403342e2bc7d64fda Author: Alexander Scheel <ascheel> Date: Tue Feb 18 09:44:51 2020 -0500 Fix interactive DS configuration In f218c64bec0ccfe754a42bdcd46c7c2cfc09bc77, PKIDeployer configuration was refactored. This included placing most of the DS specific init logic into a separate PKIDeployer.init() call. However, this wasn't issued until much later in the PKI Spawn process. During interactive installations, the user would be prompted for DS connection information, which would subsequently be verified. However, since PKIDeployer.init() hadn't yet been called, ds_url was None, resulting in a connection failure: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration deployer.ds_connect() File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect self.ds_connection = ldap.initialize(self.ds_url) File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__ self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri) File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call result = func(*args,**kwargs) TypeError: initialize() argument 1 must be str, not None Move DS configuration out of init() and into ds_init(); make ds_connect() call ds_init() when ds_url is None, and call ds_init() from init(). PKI Spawn has been updated to call ds_init() when necessary, and also to reset ds_url to None when validation fails, forcing ds_init() to be called again. Resolves: rh-bz#1795215 Signed-off-by: Alexander Scheel <ascheel> Test Procedure: =============== Interactive installation of all subsystems as mentioned by OP Checked in to dist-git. Tested Version: ------------------------------- [root@pki1 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.8.2 Release : 2.module+el8.2.0+5796+110ac6eb Architecture: noarch Install Date: Thu 20 Feb 2020 08:02:48 AM EST Group : Unspecified Size : 2641321 License : GPLv2 and LGPLv2 Signature : RSA/SHA256, Wed 19 Feb 2020 12:25:46 PM EST, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.8.2-2.module+el8.2.0+5796+110ac6eb.src.rpm Build Date : Wed 19 Feb 2020 11:18:08 AM EST Build Host : arm64-026.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.dogtagpki.org/ ------------------------------------ Case 1: ========== ------------------------ [root@pki1 ~]# pkispawn IMPORTANT: Interactive installation currently only exists for very basic deployments! For example, deployments intent upon using advanced features such as: * Cloning, * Elliptic Curve Cryptography (ECC), * External CA, * Hardware Security Module (HSM), * Subordinate CA, * etc., must provide the necessary override parameters in a separate configuration file. Run 'man pkispawn' for details. Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: Tomcat: Instance [pki-tomcat]: HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [caadmin]: Password: Verify password: Import certificate (Yes/No) [N]? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: Directory Server: Hostname [pki1.example.com]: Use a secure LDAPS connection (Yes/No/Quit) [N]? LDAP Port [389]: Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-tomcat-CA]: Security Domain: Name [example.com Security Domain]: Begin installation (Yes/No/Quit)? Yes Installation log: /var/log/pki/pki-ca-spawn.20200220080552.log Installing CA into /var/lib/pki/pki-tomcat. Notice: Trust flag u is set automatically if the private key is present. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /root/.dogtag/pki-tomcat/ca_admin_cert.p12 To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://pki1.example.com:8443/ca PKI instances will be enabled upon system boot ========================================================================== [root@pki1 ~]# ------------------------ ------------------------- [root@pki1 ~]# pki-server status pki-tomcat Instance ID: pki-tomcat Active: True Unsecure Port: 8080 Secure Port: 8443 Tomcat Port: 8005 CA Subsystem: Type: Root CA (Security Domain) SD Registration URL: https://pki1.example.com:8443 Enabled: True Unsecure URL: http://pki1.example.com:8080/ca/ee/ca Secure Agent URL: https://pki1.example.com:8443/ca/agent/ca Secure EE URL: https://pki1.example.com:8443/ca/ee/ca Secure Admin URL: https://pki1.example.com:8443/ca/services PKI Console URL: https://pki1.example.com:8443/ca [root@pki1 ~]# ------------------------ As observed in POC , it could be seen that fix is working as expected. Hence, marking this Bugzilla as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1644 |