RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1202759 - ipa-server-install fails with tomcat6-6.0.24-84.el6
Summary: ipa-server-install fails with tomcat6-6.0.24-84.el6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tomcat6
Version: 6.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: David Knox
QA Contact: tomcat-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-17 12:09 UTC by Patrik Kis
Modified: 2015-11-02 00:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
After upgrading from tomcat6-6.0.24-83 to tomcat6-6.0.24-84, it was not possible to install the IPA server with tomcat6-6.0.24-84, and the "Failed to restart the certificate server" message was displayed. A fix has been applied, and the IPA server can now be installed successfully in this situation.
Clone Of:
Environment:
Last Closed: 2015-07-22 07:27:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1461 0 normal SHIPPED_LIVE tomcat6 bug fix and enhancement update 2015-07-21 14:14:55 UTC

Description Patrik Kis 2015-03-17 12:09:08 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Patrik Kis 2015-03-17 12:17:39 UTC 
Description of problem:

With tomcat6-6.0.24-84 ipa-server-install fails in:
 restarting certificate server
ipa         : CRITICAL Failed to restart the certificate server. See the installation log for details.

I was not able to dig more into the details what exactly causing the problem, but it definitely appearing when tomcat6 is upgraded from tomcat6-6.0.24-83 to tomcat6-6.0.24-84.

Version-Release number of selected component (if applicable):
tomcat6-6.0.24-84

ipa-server-3.0.0-42.el6
pki-ca-9.0.3-37.el6

How reproducible:
always

Steps to Reproduce:

# ipa-server-install --setup-dns --ip-address $IP_ADDR --no-forwarders --hostname=`hostname` -r testrealm -p Secret123 -P Secret123 -a Secret123 --unattended 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host hp-dl360g5-01.rhts.eng.bos.redhat.com
The domain name has been determined based on the host name.

Using reverse zone 64.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      hp-dl360g5-01.rhts.eng.bos.redhat.com
IP address:    10.16.64.208
Domain name:   rhts.eng.bos.redhat.com
Realm name:    TESTREALM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  64.16.10.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
ipa         : CRITICAL Failed to restart the certificate server. See the installation log for details.
  [16/21]: requesting RA certificate from CA
[Errno 111] Connection refused
#
#
# tail -100 /var/log/ipaserver-install.log 
2015-03-17T11:42:17Z DEBUG   [15/21]: restarting certificate server
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad restart pki-ca
2015-03-17T11:42:20Z DEBUG stdout=Stopping pki-ca: [  OK  ]
Starting pki-ca: [  OK  ]

2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG args=/sbin/service pki-cad status pki-ca
2015-03-17T11:42:20Z DEBUG stdout=pki-ca (pid 22504) is running...[  OK  ]
    Unsecure Port       = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
    EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
    ==========================================================================

2015-03-17T11:42:20Z DEBUG stderr=
2015-03-17T11:42:20Z DEBUG wait_for_open_ports: localhost [9180, 9443, 9444] timeout 300
2015-03-17T11:47:20Z CRITICAL Failed to restart the certificate server. See the installation log for details.
2015-03-17T11:47:20Z DEBUG   duration: 303 seconds
2015-03-17T11:47:20Z DEBUG   [16/21]: requesting RA certificate from CA
2015-03-17T11:47:21Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k rsa -g 2048 -s CN=IPA RA,O=TESTREALM -z /tmp/tmpLeVAZX -a
2015-03-17T11:47:21Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: TESTREALM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICajCCAVICAQAwJTESMBAGA1UEChMJVEVTVFJFQUxNMQ8wDQYDVQQDEwZJUEEg
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3AALKdIhThtKhGz5/
AOxWaDfagfFTXObQq9nCn0eOVNx4YizedwxZiJTpP0fHhi0uy/0uCYeyV2lVZkWK
qayLiiwmVljkOrB3ypOnquaEHFi9FsimffWj8bshK3SUFUE55gTJ0mvYnWMoJnDA
JGUO5yjFajyT8v2k/SZ99drJ2KfY5FkZs2wWTaAtyRJhtvILh3AzoJrayB2hyU1A
fwuIg1iN3E0n9LBVx6y5VyhUAGnAdWlZZ0GhedfPwcVEvaYdjc6AjDOIyQMwYKuJ
8txON2AXDeuQ4wJNT01nmhVlwqz3bdmjBANCJLHdOpl7HC7/s2hl1m0Ib8aotUxl
t4t1AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEANth7aP43btK6/0Q5Nun4BFQi
24nn7MtyEfm9NplkB1UukwYtOOBFZVnU+RMC+URvked7dkn4k/XjLNxO0g3OeIi0
3gWf9B9ArGRgcp8trL2+XpPOq6rWkm3mH2p2tld/Cal1wlzkwBrzOMsS2g7UkY3W
IYpuRb0rxmK3F0uz3xYTI/Iyl94BmLN9g1JQWnCK1TI5EDQc0CWEDOQxsbMAXMk3
l32cykmunQnmNIKF0/s2aTzZSVUU8NGaCdmxKdJ4Qvk06gMY2HdIEAIQwDd4DiHE
Y33WlK/7RyOFebF1NPguij4CSMhT/v/SD8GXB7xcNBFwRSnBjNfK+hVR6EM51Q==
-----END NEW CERTIFICATE REQUEST-----

2015-03-17T11:47:21Z DEBUG stderr=

Generating key.  This may take a few moments...


2015-03-17T11:47:21Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 942, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1200, in __request_ra_certificate
    conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)

  File "/usr/lib64/python2.6/httplib.py", line 914, in request
    self._send_request(method, url, body, headers)

  File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
    self.endheaders()

  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()

  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)

  File "/usr/lib64/python2.6/httplib.py", line 739, in send
    self.connect()

  File "/usr/lib64/python2.6/httplib.py", line 720, in connect
    self.timeout)

  File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
    raise error, msg

2015-03-17T11:47:21Z INFO The ipa-server-install command failed, exception: error: [Errno 111] Connection refused
#
# service pki-cad status pki-ca
pki-ca (pid 22504) is running...[  OK  ]
    Unsecure Port       = http://hp-dl360g5-01.rhts.eng.bos.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca/services
    EE Client Auth Port = https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://hp-dl360g5-01.rhts.eng.bos.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://hp-dl360g5-01.rhts.eng.bos.redhat.com:443
    ==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
#


The same reproducer on system with tomcat6-6.0.24-83:


# service pki-cad status pki-ca
pki-ca (pid 18468) is running...[  OK  ]
    Unsecure Port       = http://sheep-12.lab.eng.brq.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://sheep-12.lab.eng.brq.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://sheep-12.lab.eng.brq.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://sheep-12.lab.eng.brq.redhat.com:9445/ca/services
    EE Client Auth Port = https://sheep-12.lab.eng.brq.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://sheep-12.lab.eng.brq.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  IPA
    URL:   https://sheep-12.lab.eng.brq.redhat.com:443
    ==========================================================================
# netstat -putna |grep -e 9180 -e 9443 -e 9444
tcp        0      0 :::9180                     :::*                        LISTEN      18468/java          
tcp        0      0 :::9443                     :::*                        LISTEN      18468/java          
tcp        0      0 :::9444                     :::*                        LISTEN      18468/java
Comment 10 Radim Hatlapatka 2015-06-08 13:55:33 UTC 
The reproduction steps tried with tomcat6-6.0.24-83.el6, tomcat6-6.0.24-84.el6 and tomcat6-6.0.24-90.el6.

We were able to reproduce failing of CA server on tomcat6-6.0.24-84.el6 and verified that the installation works with the other two tomcat versions. Thanks Milan (mkubik) for his help verifying this BZ.
Comment 12 errata-xmlrpc 2015-07-22 07:27:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1461.html
Note You need to log in before you can comment on or make changes to this bug.