Bug 1975406

Summary:	IPA installation fails during pki-tomcatd setup
Product:	Red Hat Enterprise Linux 9	Reporter:	Viktor Ashirov <vashirov>
Component:	pki-core	Assignee:	Jack Magne <jmagne>
Status:	CLOSED CURRENTRELEASE	QA Contact:	PKI QE <bugzilla-pkiqe>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	9.0	CC:	aakkiang, abokovoy, cheimes, edewata, ksiddiqu, mharmsen, skhandel, wdh
Target Milestone:	beta	Keywords:	Regression, TestBlocker, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pki-core-11.0.0-0.3.alpha1.el9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-12-07 21:33:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Viktor Ashirov 2021-06-23 15:40:03 UTC

Description of problem:
On RHEL9 IPA installation fails during pki-tomcatd setup.

[root@rhel9 ~]# ipa-server-install --domain=ipa.test --realm=IPA.TEST --ds-password=password --admin-password=password --hostname=$(hostname -f) -U
 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.5

...snip...

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
  [2/28]: stopping certificate server instance to update CS.cfg
  [3/28]: backing up CS.cfg
  [4/28]: Add ipa-pki-wait-running
  [5/28]: secure AJP connector
  [6/28]: reindex attributes
  [7/28]: exporting Dogtag certificate store pin
  [8/28]: disabling nonces
  [9/28]: set up CRL publishing
  [10/28]: enable PKIX certificate path discovery and validation
  [11/28]: authorizing RA to modify profiles
  [12/28]: authorizing RA to manage lightweight CAs
  [13/28]: Ensure lightweight CAs container exists
  [14/28]: starting certificate server instance
  [15/28]: configure certmonger for renewals
  [16/28]: requesting RA certificate from CA
  [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmp5ipnkvy5', '-passin', 'file:/tmp/tmpyxn7hvgq'] returned non-zero exit status 1: 'Error outputting keys and certificates\n40279251477F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties (<null>)\n40279251477F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()\n')
CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmp5ipnkvy5', '-passin', 'file:/tmp/tmpyxn7hvgq'] returned non-zero exit status 1: 'Error outputting keys and certificates\n40279251477F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties (<null>)\n40279251477F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information



Version-Release number of selected component (if applicable):
openssl-3.0.0-0.alpha16.4.el9.x86_64 
# rpm -qa | grep ^pki
pki-base-10.11.0-0.1.alpha1.el9.noarch
pki-jackson-core-2.11.4-4.el9.noarch
pki-servlet-4.0-api-9.0.30-3.el9.noarch
pki-jackson-annotations-2.11.4-5.el9.noarch
pki-jackson-databind-2.11.4-4.el9.noarch
pki-jackson-jaxrs-providers-2.11.4-5.el9.noarch
pki-jackson-module-jaxb-annotations-2.11.4-6.el9.noarch
pki-jackson-jaxrs-json-provider-2.11.4-5.el9.noarch
pki-resteasy-jackson2-provider-3.0.26-13.el9.noarch
pki-symkey-10.11.0-0.1.alpha1.el9.x86_64
pki-servlet-engine-9.0.30-3.el9.noarch
pki-resteasy-core-3.0.26-13.el9.noarch
pki-resteasy-client-3.0.26-13.el9.noarch
pki-resteasy-jaxb-provider-3.0.26-13.el9.noarch
pki-base-java-10.11.0-0.1.alpha1.el9.noarch
pki-tools-10.11.0-0.1.alpha1.el9.x86_64
pki-server-10.11.0-0.1.alpha1.el9.noarch
pki-acme-10.11.0-0.1.alpha1.el9.noarch
pki-ca-10.11.0-0.1.alpha1.el9.noarch
pki-kra-10.11.0-0.1.alpha1.el9.noarch

And scratch builds for 389-ds-base https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=331291
and ipa-server https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=332207


How reproducible:
always

Steps to Reproduce:
1. Install scratch builds of 389-ds-base and ipa (to workaround DS plugin upgrade issue during setup)
2. # ipa-server-install --domain=ipa.test --realm=IPA.TEST --ds-password=password --admin-password=password --hostname=$(hostname -f) -U


Actual results:
IPA installation fails

[root@rhel9 ~]# /usr/bin/openssl pkcs12 -nokeys -clcerts -in /root/ca-agent.p12 -out /var/lib/ipa/tmp5ipnkvy5 -passin file:/tmp/tmpyxn7hvgq
Error outputting keys and certificates
40E7D944987F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties (<null>)
40E7D944987F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:330:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Expected results:
IPA installation is successful.

Additional info:

Comment 31 Kaleem 2021-07-05 12:09:34 UTC

IPA install is successful with following IPA and PKI-core builds

2021-07-02T13:34:09+0000 [ci-vm-10-0-97-143.ho]   ipa-server-4.9.6-1.el9.x86_64                                                 
2021-07-02T13:34:09+0000 [ci-vm-10-0-97-143.ho]   pki-ca-11.0.0-0.3.alpha1.el9.noarch                                           

IPA install log with rpm is attached.