Bug 1812169
Summary: | Running ipa-replica-install fails with Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa-master.example.test/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).) | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> | |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | abokovoy, fdc, frenaud, ipa-maint, jcholast, jhrozek, jpazdziora, lslebodn, pvoborni, rcritten, ssorce, twoerner | |
Target Milestone: | --- | Keywords: | Regression | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | freeipa-4.8.6-1.fc32 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1817918 (view as bug list) | Environment: | ||
Last Closed: | 2020-04-05 00:15:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1817918 |
Description
Jan Pazdziora
2020-03-10 17:01:06 UTC
I see the same failure on Fedora 32. What tomcat version do you have? In rawhide it is a known issue with tomcat 9.0.31 which enforces use of a secret-protected setup for AJP proxy. I'm currently working on a fix for upstream. It's tomcat-9.0.31-1.fc33.noarch. Upstream PR: https://github.com/freeipa/freeipa/pull/4337 Fixed upstream master: https://pagure.io/freeipa/c/593fac1ca9381a51ee59fac994d818ed9619bd8e https://pagure.io/freeipa/c/ec73de969f55b7a005b6401029f87fe6a225a417 Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/1deb1010b245df6c363c5655f9a548bdf4dbc040 https://pagure.io/freeipa/c/d4d8b98c3588b212db6a26610e690cccb3af84ca ipa-4-7: https://pagure.io/freeipa/c/d4ad2c24df2477a5b4ced14a592d99547a0c029e https://pagure.io/freeipa/c/fc82b966c054b8a6a98441f08d9ccf2f5737e623 ipa-4-6: https://pagure.io/freeipa/c/af2dca13d0cc24e0cf32bc23e4edb86fbbf60d03 https://pagure.io/freeipa/c/901d0eca7d462c74c1664aae9b3415ede7ba3dfc (In reply to Florence Blanc-Renaud from comment #6) > Fixed upstream > ipa-4-8: > https://pagure.io/freeipa/c/1deb1010b245df6c363c5655f9a548bdf4dbc040 > https://pagure.io/freeipa/c/d4d8b98c3588b212db6a26610e690cccb3af84ca > Backporting these patches does not seems to be enough for rawhide. The installation on master will fails Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. For some reason jdk crashed 2020-03-16T12:18:37Z DEBUG Starting external process 2020-03-16T12:18:37Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] 2020-03-16T12:18:43Z DEBUG Process finished, return code=1 2020-03-16T12:18:43Z DEBUG stdout=# # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007fba2b65afbe, pid=24003, tid=0x00007fba2904a700 # # JRE version: OpenJDK Runtime Environment (8.0_242-b08) (build 1.8.0_242-b08) # Java VM: OpenJDK 64-Bit Server VM (25.242-b08 mixed mode linux-amd64 compressed oops) # Problematic frame: # V [libjvm.so+0x701fbe] JNIHandleBlock::oops_do(OopClosure*)+0xae # # Core dump written. Default location: /tmp/hsperfdata_pkiuser/core or core.24003 # # An error report file with more information is saved as: # /tmp/hsperfdata_pkiuser/hs_err_pid24003.log # # If you would like to submit a bug report, please visit: # http://bugreport.java.com/bugreport/crash.jsp # Installation log: /var/log/pki/pki-ca-spawn.20200316131837.log Loading deployment configuration from /tmp/tmpchj5vgwk. WARNING: The 'pki_ssl_server_token' in [CA] has been deprecated. Use 'pki_sslserver_token' instead. Installing CA into /var/lib/pki/pki-tomcat. Installation failed: Command failed: sudo -u pkiuser /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/ share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.b ase=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logg ing.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.dogtagpki.server.cli.PKIServerCLI ca-db-remove --force Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20200316131837.log 2020-03-16T12:18:43Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. ERROR: CalledProcessError: Command '['sudo', '-u', 'pkiuser', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-db-remove', '--force']' died with <Signals.SIGABRT: 6>. File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn subsystem.remove_database(force=True) File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database self.run(cmd, as_current_user=as_current_user) File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run subprocess.run(cmd, check=True) File "/usr/lib64/python3.8/subprocess.py", line 512, in run raise CalledProcessError(retcode, process.args, 2020-03-16T12:18:43Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') 2020-03-16T12:18:43Z CRITICAL See the installation logs and the following files/directories for more information: 2020-03-16T12:18:43Z CRITICAL /var/log/pki/pki-tomcat 2020-03-16T12:18:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 193, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.8/site-packages/ipapython/ipautil.py", line 597, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.8/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 195, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 503, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. Hi Lukas, the issue you mention is a different one, already reported in https://pagure.io/dogtagpki/issue/3130 ipa-server-install fails in pkispawn step with a java coredump. The above ticket mentions https://bugzilla.redhat.com/show_bug.cgi?id=1813550 java segmentation faults during package builds in rawhide which is a java-1.8.0-openjdk problem. Is it OK for you to move back this BZ to POST? Last time when I tried, I was able to install at least master without patch (just replica failed) But I failed to install even maser with patch. I did not dive into details but it seems suspicious for me. If you are sure it is unrelated then feel free to move to POST otherwise I would prefer at lest something functional in rawhide. Is it expected that the Java segfault issue seems non-deterministic? (In reply to Lukas Slebodnik from comment #10) > Last time when I tried, I was able to install at least master without patch > (just replica failed) > But I failed to install even maser with patch. I did not dive into details > but > it seems suspicious for me. > > If you are sure it is unrelated then feel free to move to POST > otherwise I would prefer at lest something functional in rawhide. I cannot reproduce issue with new jdk and new freeipa. The bug can be closed. Thanks Lukas for checking. Moving back to POST. (In reply to Florence Blanc-Renaud from comment #13) > Thanks Lukas for checking. Moving back to POST. Is there any reason why the state cannot be to closed -> rawhide? It is fixed also in F32, so we can attach it to F32 update: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc FEDORA-2020-e3a79248dc has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc I confirm that I no longer see the problem with freeipa-server-4.8.5-2.fc32.x86_64 and freeipa-server-4.8.5-2.fc33.x86_64. So the fix was likely somewhere else than freeipa-4.8.6-1.fc32, so attaching to https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc does not seem corect. You don't see the issue because JDK crash is fixed. FreeIPA 4.8.5 fixed the AJP issue, 4.8.6 contains a fix that was needed for an edge case of restarting httpd as part of dogtag configuration before it was configured. So both are applicable here. FEDORA-2020-e3a79248dc has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e3a79248dc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-e3a79248dc has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |