Bug 1285071 - ipa-kra-install fails on replica looking for admin cert file
Summary: ipa-kra-install fails on replica looking for admin cert file
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-24 19:50 UTC by Scott Poore
Modified: 2016-11-04 05:41 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:41:33 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Scott Poore 2015-11-24 19:50:51 UTC
Description of problem:

ipa-kra-install is failing when run on replica before running on master.

[root@rhel7-2 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmppAs9nw'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

Looking at ipa-kra-install.log directs me to the pkispawn log which shows this:

2015-11-24 13:18:23 pkispawn    : INFO     ....... constructing PKI configuration data.
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Type: IOError
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Message: [Errno 2] No such file or directory: '/root/.dogtag/pki-tomcat/ca_admin.cert'
2015-11-24 13:18:23 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 112, in spawn
    data = deployer.config_client.construct_pki_configuration_data()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4026, in construct_pki_configuration_data
    self.set_admin_parameters(data)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4405, in set_admin_parameters
    with open(self.mdict['pki_admin_cert_file'], "r") as f:

Then I check and cannot see this file on the replica:

[root@rhel7-2 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: cannot open (No such file or directory)


However, I can see it on the master:

[root@rhel7-1 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: ASCII text, with CRLF line terminators

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.2.x86_64

How reproducible:

unknown

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Replica
3.  ipa-ca-install on replica
4.  ipa-kra-install on replica

Actual results:
fails as shown above.

Expected results:
installs first KRA on replica.

Additional info:

Comment 1 Petr Vobornik 2015-11-25 14:46:17 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5460

Comment 2 Petr Vobornik 2016-01-25 23:02:02 UTC
Upstream ticket was fixed:

master:
    efeb7d54ba7e3145a7a0b50c4b275d208cb656e6 ipa-kra-install: allow to install first KRA on replica
    bbbe411f357b7fbad533b5211a90bb0558b1abbe Modify error message to install first instance of KRA 

ipa-4-2:
    991e57b09210af00e7fb40cc49745d42c46568f8 ipa-kra-install: allow to install first KRA on replica
    cacca7bade36d5b01dd8c3568e41abb2b183aa50 Modify error message to install first instance of KRA

Comment 3 Mike McCune 2016-03-28 22:43:24 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 5 Scott Poore 2016-07-07 21:52:52 UTC
Verified.

Version ::

ipa-server-4.4.0-1.el7.x86_64

Results ::

First master installed, then replica was installed with --setup-ca instead of running ipa-ca-install separately.

[root@replica ~]# ipa-ca-install
CA is already installed on this host.

[root@replica ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

To confirm only KRA installation:

[root@master ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

dn: cn=replica.testrelm.test:443,cn=KRAList,ou=Security Domain,o=ipaca
SubsystemName: KRA replica.testrelm.test 8443

[root@master ~]#

Comment 7 errata-xmlrpc 2016-11-04 05:41:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.