Bug 1112581
| Summary: | IPA server installation fails on RHEL-6.6 with latest ipa build | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaleem <ksiddiqu> | ||||
| Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||
| Status: | CLOSED WORKSFORME | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.6 | CC: | alee, ksiddiqu, nhosoi, nkinder, rcritten | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-26 15:04:29 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Ade, can you please help us debug this issue? When I was testing IPA with pki-ca-9.0.3-32.el6.noarch (6.5 variant), it worked fine. I did test on my RHEL-6.6 development machine (where installation worked before), this is what I found: 1) When I updated just pki-ca to 9.0.3-35.el6, installation worked 2) When I then updated just 389-ds-base to 1.2.11.15-36.el6, the installation crashed (with different error): ... Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmppE9Ur2' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). ... This was in the install log: 2014-06-25T11:21:50Z DEBUG calling setup-ds.pl 2014-06-25T11:21:51Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmppE9Ur2 2014-06-25T11:21:51Z DEBUG stdout=[14/06/25:07:21:51] - [Setup] Info Could not import LDIF file '/tmp/ ldifHirEpq.ldif'. Error: 32512. Output: importing data ... ./ns-slapd: symbol lookup error: /usr/lib64/dirsrv/libslapd.so.0: undefined symbol: ldif_getline Could not import LDIF file '/tmp/ldifHirEpq.ldif'. Error: 32512. Output: importing data ... ./ns-slapd: symbol lookup error: /usr/lib64/dirsrv/libslapd.so.0: undefined symbol: ldif_getline [14/06/25:07:21:51] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [14/06/25:07:21:51] - [Setup] Fatal Exiting . . . Log file is '-' It looks like 389-ds-base does not have the Requires on updated openldap packages so I had to update it manually. 3) However, after I updated *all* packages to RHEL-6.6, installation *succeeded*. So we still need the log analysis from PKI team to see what went wrong. Given my findings in Comment 3, Kaleem, can you please re-run your test on a clean machine with all packages updated? Just to make sure this was not some interim issue. Yes with following bits which by default installed on latest RHEL-6.6 beaker machine, ipa-server install is successfull [root@ibm-x3650m4-02-vm-04 ~]# rpm -q ipa-server pki-ca 389-ds-base ipa-server-3.0.0-41.el6.x86_64 pki-ca-9.0.3-35.el6.noarch 389-ds-base-1.2.11.15-36.el6.x86_64 [root@ibm-x3650m4-02-vm-04 ~]# But following error message is also shown [19/21]: configure certificate renewals ipa : ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 ipa : ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 ipa : ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 [20/21]: configure Server-Cert certificate renewal ipa : ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX' returned non-zero exit status 1 [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Please find the attached log for more reference. Good to know! About the certmonger bug - this is a problem in SELinux policy, I already filed Bug 1109181, which is in progress, though unfortunately not fixed. As SELinux bug is filed and Kaleem verified that PKI now configures, the only remaining issue is the missing proper Requires on openldap, as identified in Comment 3. Noriko, do you want me to move this bug to 389-ds-base or are you tracking the issue elsewhere? (In reply to Martin Kosek from comment #6) > As SELinux bug is filed and Kaleem verified that PKI now configures, the > only remaining issue is the missing proper Requires on openldap, as > identified in Comment 3. Noriko, do you want me to move this bug to > 389-ds-base or are you tracking the issue elsewhere? Is it necessary to add this explicit version dependency? The "broken" version of openldap is not a version that was ever shipped. We should work fine with any of the released versions of the openldap package from RHEL 6.5, 6.5.z, or 6.6. We can certainly add the explicit version dependency, but I think there is no chance of customers even seeing the problem mentioned in this bug since no released version of openldap on RHEL 6.x should be missing libldif.so. Thanks Nathan, that makes sense. As noted in Comment 6, we can then close this Bugzilla as the only pending issue is Bug 1109181 which is tracked there. Removing NEEDINFO since this bug was closed... |
Created attachment 911675 [details] instllation log files Description of problem: IPA server installation fails on RHEL-6.6 with latest ipa build. Following log shown in pki-ca/system log file. [root@rhel66-master ~]# cat /var/log/pki-ca/system 3049.main - [24/Jun/2014:15:26:05 IST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 3049.main - [24/Jun/2014:15:26:05 IST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value [root@rhel66-master ~]# Version-Release number of selected component (if applicable): [root@rhel66-master ~]# rpm -q ipa-server pki-ca 389-ds-base ipa-server-3.0.0-40.el6.x86_64 pki-ca-9.0.3-35.el6.noarch 389-ds-base-1.2.11.15-35.el6.x86_64 [root@rhel66-master ~]# How reproducible: Always Steps to Reproduce: 1. Install IPA server [root@rhel66-master ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=rhel66-master.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U ... .... ..... Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname rhel66-master.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-WHA3Zf -client_certdb_pwd XXXXXXXX -preop_pin sOMUaRmFszF64GPf1ieM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host rhel66-master.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=rhel66-master.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false' returned non-zero exit status 255 Configuration of CA failed [root@rhel66-master ~]# Actual results: IPA Server installation fails. Expected results: IPA Server installation should be successful. Additional info: (1)Please find the attached installation log files.