Bug 1871064
| Summary: | replica install failing during pki-ca component configuration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | pki-core | Assignee: | Alex Scheel <ascheel> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 8.3 | CC: | aakkiang, ascheel, cpinjani, rcritten, skhandel, tscherf, twoerner |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 03:15:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Checked in upstream:
commit 1753780b47c6935816d5419dafcea667fb01fed4
Author: Alexander Scheel <ascheel>
Date: Fri Aug 21 10:15:53 2020 -0400
Fix permissions when installing clone
When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.
Signed-off-by: Alexander Scheel <ascheel>
Checked in dist-git:
commit a1d94e8c34e6ec86d2ef4aad12f791b9750e58f2
Author: Alexander Scheel <ascheel>
Date: Fri Aug 21 11:20:21 2020 -0400
Fix replica install failing during pki-ca component configuration
Resolves: rhbz#1871064
Signed-off-by: Alexander Scheel <ascheel>
Cloning is validated in automated regression run. Following are the run links: FIPS : https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/2017915 Non FIPS : https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/2017818 Validate on following versions: pki-ca noarch 10.9.2-2.module+el8.3.0+7729+bfb86605 RHEL8.3-Appstream 575 k pki-kra noarch 10.9.2-2.module+el8.3.0+7729+bfb86605 RHEL8.3-Appstream 200 k pki-ocsp noarch 10.9.2-1.module+el8pki+7692+b23293e3 RHEL8.3-CERTSYS 73 k pki-tks noarch 10.9.2-1.module+el8pki+7692+b23293e3 RHEL8.3-CERTSYS 113 k pki-tps x86_64 10.9.2-1.module+el8pki+7692+b23293e3 RHEL8.3-CERTSYS 680 k Marking this BZ verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4847 |
Description of problem: [5/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpjj_x8so0'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nJob for pki-tomcatd failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd" and "journalctl -xe" for details.\nERROR: CalledProcessError: Command \'[\'systemctl\', \'start\', \'pki-tomcatd\']\' returned non-zero exit status 1.\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 870, in spawn\n instance.start()\n File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 261, in start\n subprocess.check_call(cmd)\n File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call\n raise CalledProcessError(retcode, cmd)\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information pki-ca-spawn log [root@replica pki]# cat pki-ca-spawn.20200821050217.log 2020-08-21 05:03:18 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 870, in spawn instance.start() File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 261, in start subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) Version-Release number of selected component (if applicable): [root@replica ~]# rpm -q pki-ca ipa-server pki-ca-10.9.2-1.module+el8.3.0+7691+db8f134f.noarch ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64 [root@replica ~]# How reproducible: Always Steps to Reproduce: 1. Instlall IPA replica 2. 3. Actual results: Replica install failure Expected results: no replica install failure Additional info: