DescriptionAleksandr Sharov
2021-12-21 10:48:22 UTC
Description of problem:
pkispawn fails on clean installation:
[root@ca pki]# pkispawn -s CA
IMPORTANT:
Interactive installation currently only exists for very basic deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [ca.local]:
Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes
Secure LDAPS Port [636]:
Directory Server CA certificate pem file: /etc/dirsrv/slapd-ca/ca.crt
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Base DN already exists. Overwrite (Yes/No/Quit)? Yes
Security Domain:
Name [local Security Domain]:
Begin installation (Yes/No/Quit)? yes
Installation log: /var/log/pki/pki-ca-spawn.20211221113549.log
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
Job for pki-tomcatd failed because the control process exited with error code.
See "systemctl status pki-tomcatd" and "journalctl -xe" for details.
ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
instance.start()
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
Installation failed: Command failed: systemctl start pki-tomcatd
Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20211221113549.log
[root@ca pki]# cat /var/log/pki/pki-ca-spawn.20211221113549.log
2021-12-21 11:36:49 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
instance.start()
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
Version-Release number of selected component (if applicable):
[root@ca ~]# cat /usr/share/pki/CS_SERVER_VERSION
Red Hat Certificate System 10.2
[root@ca ~]# dnf install pki-ca | grep pki-ca
Package pki-ca-10.10.5-3.module+el8pki+11223+7a85b62e.noarch is already installed.
[root@ca ~]# cat /etc/pki/pki.version
Configuration-Version: 10.10.5
root@ca pki]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.5 (Ootpa)
[root@ca pki]# fips-mode-setup --check
FIPS mode is enabled.
How reproducible:
100%
Steps to Reproduce:
1. install DS, create instance, check ldaps connectivity
2. install redhat-pki module as described in 10.2 release notes, otherwise you get conflicts
3. Run pkispawn -s CA
Actual results:
Service fails:
-- Unit pki-tomcatd has begun starting up.
Dec 21 11:36:49 ca.local pki-server[42247]: ProviderException: Initialization failed
Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Control process exited, code=exited status=255
Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
Expected results:
service starts as expected, pkispawn is succesfull
Additional info:
sosreport will be attached
Description of problem: pkispawn fails on clean installation: [root@ca pki]# pkispawn -s CA IMPORTANT: Interactive installation currently only exists for very basic deployments! For example, deployments intent upon using advanced features such as: * Cloning, * Elliptic Curve Cryptography (ECC), * External CA, * Hardware Security Module (HSM), * Subordinate CA, * etc., must provide the necessary override parameters in a separate configuration file. Run 'man pkispawn' for details. Tomcat: Instance [pki-tomcat]: HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [caadmin]: Password: Verify password: Import certificate (Yes/No) [N]? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: Directory Server: Hostname [ca.local]: Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes Secure LDAPS Port [636]: Directory Server CA certificate pem file: /etc/dirsrv/slapd-ca/ca.crt Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-tomcat-CA]: Base DN already exists. Overwrite (Yes/No/Quit)? Yes Security Domain: Name [local Security Domain]: Begin installation (Yes/No/Quit)? yes Installation log: /var/log/pki/pki-ca-spawn.20211221113549.log Installing CA into /var/lib/pki/pki-tomcat. Notice: Trust flag u is set automatically if the private key is present. Job for pki-tomcatd failed because the control process exited with error code. See "systemctl status pki-tomcatd" and "journalctl -xe" for details. ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn instance.start() File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) Installation failed: Command failed: systemctl start pki-tomcatd Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20211221113549.log [root@ca pki]# cat /var/log/pki/pki-ca-spawn.20211221113549.log 2021-12-21 11:36:49 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn instance.start() File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) Version-Release number of selected component (if applicable): [root@ca ~]# cat /usr/share/pki/CS_SERVER_VERSION Red Hat Certificate System 10.2 [root@ca ~]# dnf install pki-ca | grep pki-ca Package pki-ca-10.10.5-3.module+el8pki+11223+7a85b62e.noarch is already installed. [root@ca ~]# cat /etc/pki/pki.version Configuration-Version: 10.10.5 root@ca pki]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) [root@ca pki]# fips-mode-setup --check FIPS mode is enabled. How reproducible: 100% Steps to Reproduce: 1. install DS, create instance, check ldaps connectivity 2. install redhat-pki module as described in 10.2 release notes, otherwise you get conflicts 3. Run pkispawn -s CA Actual results: Service fails: -- Unit pki-tomcatd has begun starting up. Dec 21 11:36:49 ca.local pki-server[42247]: ProviderException: Initialization failed Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Control process exited, code=exited status=255 Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd Expected results: service starts as expected, pkispawn is succesfull Additional info: sosreport will be attached