Bug 2004084

Summary: Reinstall of the same ipa-replica fails with 'RuntimeError: CA configuration failed.'
Product: Red Hat Enterprise Linux 8 Reporter: Florence Blanc-Renaud <frenaud>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact: lmcgarry
Priority: urgent    
Version: 8.5CC: aakkiang, abroy, amore, asharov, edewata, gfialova, msauton, pcech, prisingh, rcritten, skhandel, sumenon
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8060020211115121442.7e0b02f6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 2023868 (view as bug list) Environment:
Last Closed: 2022-05-10 13:51:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2023868    

Description Florence Blanc-Renaud 2021-09-14 13:37:19 UTC 
This bug was initially created as a copy of Bug #2001814

I am copying this bug because: 

The issue is also present on RHEL 8.5 with the following pkgs:
pki-server-10.11.0-2.module+el8.5.0+12220+9cc212a8.noarch
ipa-server-4.9.6-4.module+el8.5.0+11912+1b4496cf.x86_64

Description of problem: Reinstall of the same replica fails with  'RuntimeError: CA configuration failed.'

Version-Release number of selected component (if applicable):
ipa-server-4.9.6-6.el9.x86_64
pki-server-11.0.0-0.4.alpha1.el9.noarch
pki-ca-11.0.0-0.4.alpha1.el9.noarch
pki-kra-11.0.0-0.4.alpha1.el9.noarch
389-ds-base-2.0.8-4.el9.x86_64
selinux-policy-34.1.14-1.el9.noarch

How reproducible: Always

Steps to Reproduce:
1. Install IPA server and replica.
2. Uninstall IPA Replica and reinstall replica again.

Actual results:
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: creating certificate server db
  [2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
 
  [3/29]: creating ACIs for admin
  [4/29]: creating installation admin user
  [5/29]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

com.netscape.certsrv.base.ConflictingOperationException: Entry already exists.
	at com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45)
	at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720)
	at org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93)
	at org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123)
Caused by: netscape.ldap.LDAPException: error result (68); Already exists
	at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
	at netscape.ldap.LDAPConnection.add(Unknown Source)
	at netscape.ldap.LDAPConnection.add(Unknown Source)
	at netscape.ldap.LDAPConnection.add(Unknown Source)
	at com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717)
	... 7 more
CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-11-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', '--full-name', 'CA-replica.testrealm.test-8443', '--type', 'agentType', '--state', '1', '--debug', 'CA-replica.testrealm.test-8443']' returned non-zero exit status 255.
  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 740, in spawn
    deployer.setup_subsystem_user(instance, subsystem, system_certs['subsystem'])
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1036, in setup_subsystem_user
    subsystem.add_user(
  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 1515, in add_user
    self.run(
  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 1646, in run
    return subprocess.run(
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,

---ipareplica-install.log---
2021-09-07T07:40:22Z CRITICAL Failed to configure CA instance
2021-09-07T07:40:22Z CRITICAL See the installation logs and the following files/directories for more information:
2021-09-07T07:40:22Z CRITICAL   /var/log/pki/pki-tomcat
2021-09-07T07:40:22Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 627, in __spawn_instance
    DogtagInstance.spawn_instance(
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 565, in handle_setup_error
    raise RuntimeError(
RuntimeError: CA configuration failed.

Expected results: replica-install should pass without the above error.

Additional info:https://github.com/dogtagpki/pki/issues/3544
Comment 3 Endi Sukma Dewata 2021-11-02 21:58:45 UTC 
Fixed in v10.12 branch (PKI 10.12):
https://github.com/dogtagpki/pki/commit/76c24f6a6866e1a0d9fdb143b8fd6390ce3b8f7e
Comment 23 errata-xmlrpc 2022-05-10 13:51:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1851