Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1285071

Summary: ipa-kra-install fails on replica looking for admin cert file
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: cheimes, ksiddiqu, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:41:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-11-24 19:50:51 UTC 
Description of problem:

ipa-kra-install is failing when run on replica before running on master.

[root@rhel7-2 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmppAs9nw'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

Looking at ipa-kra-install.log directs me to the pkispawn log which shows this:

2015-11-24 13:18:23 pkispawn    : INFO     ....... constructing PKI configuration data.
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Type: IOError
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Message: [Errno 2] No such file or directory: '/root/.dogtag/pki-tomcat/ca_admin.cert'
2015-11-24 13:18:23 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 112, in spawn
    data = deployer.config_client.construct_pki_configuration_data()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4026, in construct_pki_configuration_data
    self.set_admin_parameters(data)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4405, in set_admin_parameters
    with open(self.mdict['pki_admin_cert_file'], "r") as f:

Then I check and cannot see this file on the replica:

[root@rhel7-2 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: cannot open (No such file or directory)


However, I can see it on the master:

[root@rhel7-1 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: ASCII text, with CRLF line terminators

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.2.x86_64

How reproducible:

unknown

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Replica
3.  ipa-ca-install on replica
4.  ipa-kra-install on replica

Actual results:
fails as shown above.

Expected results:
installs first KRA on replica.

Additional info:
Comment 1 Petr Vobornik 2015-11-25 14:46:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5460
Comment 2 Petr Vobornik 2016-01-25 23:02:02 UTC 
Upstream ticket was fixed:

master:
    efeb7d54ba7e3145a7a0b50c4b275d208cb656e6 ipa-kra-install: allow to install first KRA on replica
    bbbe411f357b7fbad533b5211a90bb0558b1abbe Modify error message to install first instance of KRA 

ipa-4-2:
    991e57b09210af00e7fb40cc49745d42c46568f8 ipa-kra-install: allow to install first KRA on replica
    cacca7bade36d5b01dd8c3568e41abb2b183aa50 Modify error message to install first instance of KRA
Comment 3 Mike McCune 2016-03-28 22:43:24 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 5 Scott Poore 2016-07-07 21:52:52 UTC 
Verified.

Version ::

ipa-server-4.4.0-1.el7.x86_64

Results ::

First master installed, then replica was installed with --setup-ca instead of running ipa-ca-install separately.

[root@replica ~]# ipa-ca-install
CA is already installed on this host.

[root@replica ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

To confirm only KRA installation:

[root@master ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

dn: cn=replica.testrelm.test:443,cn=KRAList,ou=Security Domain,o=ipaca
SubsystemName: KRA replica.testrelm.test 8443

[root@master ~]#
Comment 7 errata-xmlrpc 2016-11-04 05:41:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html