Bug 1011587 - Configuration is DOGTAG-PKI using PKISPAWN is failing
Configuration is DOGTAG-PKI using PKISPAWN is failing
Status: CLOSED NOTABUG
Product: Dogtag Certificate System
Classification: Community
Component: Installer (pkispawn/pkidestroy) (Show other bugs)
10.0
i686 All
unspecified Severity urgent
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-24 11:07 EDT by Vinamra
Modified: 2015-01-04 18:53 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-27 14:42:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vinamra 2013-09-24 11:07:54 EDT
Description of problem:

Upon running the command PKISPAWN for configuring PKI on Fedora Linux 19 in interactive mode, it is always giving problem and getting failed. 


pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
pkispawn    : DEBUG    ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: 404 Client Error: Not Found
pkispawn    : DEBUG    ........... No connection - server may still be down

pkispawn    : DEBUG    ........... No connection - exception thrown: 404 Client Error: Not Found
pkispawn    : ERROR    ....... server failed to restart
pkispawn    : DEBUG    ....... Error Type: SystemExit
pkispawn    : DEBUG    ....... Error Message: 1
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 374, in main
    rv = instance.spawn()
  File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn
    sys.exit(1)

Installation failed.



Any Support Idea?
Comment 1 Ade Lee 2013-09-24 11:22:53 EDT
We need a little more info.

First, what is the version of the dogtag software and for tomcat:

rpm -q pki-server
rpm -q tomcat

It looks like the server does not come up.  Are there any logs in /var/log/pki/pki-tomcat ?  Is there anything in /var/log/messages?  Also, there is a pkispawn log in /var/log/pki.

Is selinux enabled?  (getenforce).  If selinux is putin permissive mode, (setenforce 0) , does the server start up?
Comment 2 Vinamra 2013-09-24 11:45:01 EDT
Additional Information As Requested - 

# rpm -q pki-server
pki-server-10.0.5-1.fc19.noarch


# rpm -q tomcat
tomcat-7.0.42-1.fc19.noarch

#LOG 1  - /var/log/pki - pkispawn logs#
2013-09-24 19:34:43 pkispawn    : INFO     ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
2013-09-24 19:34:43 pkispawn    : INFO     ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
2013-09-24 19:34:43 pkispawn    : DEBUG    ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
2013-09-24 19:34:43 pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'
2013-09-24 19:34:51 pkispawn    : DEBUG    ........... No connection - server may still be down
2013-09-24 19:34:51 pkispawn    : DEBUG    ........... No connection - exception thrown: 404 Client Error: Not Found

2013-09-24 19:35:49 pkispawn    : DEBUG    ........... No connection - exception thrown: 404 Client Error: Not Found
2013-09-24 19:35:50 pkispawn    : ERROR    ....... server failed to restart
2013-09-24 19:35:50 pkispawn    : DEBUG    ....... Error Type: SystemExit
2013-09-24 19:35:50 pkispawn    : DEBUG    ....... Error Message: 1
2013-09-24 19:35:51 pkispawn    : DEBUG    .......   File "/sbin/pkispawn", line 374, in main
    rv = instance.spawn()
  File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn
    sys.exit(1)


#LOG 2  - /var/log/message logs#
Sep 24 19:28:11 gateway goa[1093]: goa-daemon version 3.8.3 starting [main.c:113, main()]
Sep 24 19:34:43 gateway systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Sep 24 19:34:50 gateway pkidaemon[1159]: 'pki-tomcat' must still be CONFIGURED!
Sep 24 19:34:50 gateway pkidaemon[1159]: (see /var/log/pki-tomcat-install.log)

#LOG 3  - /var/log/pki/pki-tomcat logs#

SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
19:34:58,286 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
19:34:58,298 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Sep 24, 2013 7:34:59 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7755 ms




SELINUX is disabled.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Comment 3 Matthew Harmsen 2013-09-24 16:41:46 EDT
Presuming that you used the default setup, please provide the output of the following:

    # pkidaemon status tomcat pki-tomcat

My guess is that it will return something similar to the following:

    Status for pki-tomcat: pki-tomcat is running ..
    'pki-tomcat' must still be CONFIGURED!
    (see /var/log/pki-tomcat-install.log)
Comment 4 Ade Lee 2013-09-24 16:43:22 EDT
So, based on your logs, it looks like we try to start up the server:

2013-09-24 19:34:43 pkispawn    : DEBUG    ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service

and the server does in fact come up:

Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7755 ms

But it does not correctly respond to requests for status -- returning 404's, and so times out.

Can you attach any logs in /var/log/pki/pki-tomcat as well as /var/log/pki/pki-tomcat/ca ?  The error may have appeared earlier in the log.

Also, what is your version of python-requests?

Also, you might want to try with selinux in permissive mode.  Its likely not the problem - but we always run in at least permissive mode.  You'll need to change the config and reboot.
Comment 5 Vinamra 2013-09-27 04:27:33 EDT
Dear All, 

After looking in logs, it was clear the pki was trying to start and on secure port it started. It was non-secure port which was not starting. Thus had thought to look on any running port #lsof -i :8080 and httpd daemon was holding the port. 

Then i removed the complete pki using #pkidestroy and manual commands to remove the complete installation. 


#pkidestroy -s CA -i pki-tomcat
#rm -rf /var/log/pki/pki-tomcat
#rm -rf /etc/sysconfig/pki-tomcat
#rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
#rm -rf /var/lib/pki/pki-tomcat
#rm -rf /etc/pki/pki-tomcat

stopped the httpd daemon. 
#service httpd stop
#chkconfig httpd off
#reboot

Then again reconfigured the pki-tomcat. It went smooth and started without any issue. 


Thanks for the help extended to look into /var/log . 

Only thing pending with me is to run SCEP over DOGTAG 10. I have been checking the documentation over google for Dogtag 10 to be used as SCEP for couple of routers and VPN Concentrators. But i was only able to find DogTag 9.0 Documentation for SCEP support. 

It was will be real great help if somebody can post any link on which i can study & deploy SCEP over Dogtag 10. 

Rgds, 

Abhay
Comment 6 Ade Lee 2013-09-27 14:42:51 EDT
Dogtag 9 should be the same as dogtag 10 as far as SCEP.  You should also look at the Red Har Certificate Server 8.x documentation (docs.redhat.com)  For SCEP, that should all be valid too.

Note You need to log in before you can comment on or make changes to this bug.