Bug 1285071 - ipa-kra-install fails on replica looking for admin cert file
ipa-kra-install fails on replica looking for admin cert file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 14:50 EST by Scott Poore
Modified: 2016-11-04 01:41 EDT (History)
4 users (show)

See Also:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 01:41:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2015-11-24 14:50:51 EST
Description of problem:

ipa-kra-install is failing when run on replica before running on master.

[root@rhel7-2 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmppAs9nw'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

Looking at ipa-kra-install.log directs me to the pkispawn log which shows this:

2015-11-24 13:18:23 pkispawn    : INFO     ....... constructing PKI configuration data.
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Type: IOError
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Message: [Errno 2] No such file or directory: '/root/.dogtag/pki-tomcat/ca_admin.cert'
2015-11-24 13:18:23 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 112, in spawn
    data = deployer.config_client.construct_pki_configuration_data()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4026, in construct_pki_configuration_data
    self.set_admin_parameters(data)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4405, in set_admin_parameters
    with open(self.mdict['pki_admin_cert_file'], "r") as f:

Then I check and cannot see this file on the replica:

[root@rhel7-2 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: cannot open (No such file or directory)


However, I can see it on the master:

[root@rhel7-1 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: ASCII text, with CRLF line terminators

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.2.x86_64

How reproducible:

unknown

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Replica
3.  ipa-ca-install on replica
4.  ipa-kra-install on replica

Actual results:
fails as shown above.

Expected results:
installs first KRA on replica.

Additional info:
Comment 1 Petr Vobornik 2015-11-25 09:46:17 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5460
Comment 2 Petr Vobornik 2016-01-25 18:02:02 EST
Upstream ticket was fixed:

master:
    efeb7d54ba7e3145a7a0b50c4b275d208cb656e6 ipa-kra-install: allow to install first KRA on replica
    bbbe411f357b7fbad533b5211a90bb0558b1abbe Modify error message to install first instance of KRA 

ipa-4-2:
    991e57b09210af00e7fb40cc49745d42c46568f8 ipa-kra-install: allow to install first KRA on replica
    cacca7bade36d5b01dd8c3568e41abb2b183aa50 Modify error message to install first instance of KRA
Comment 3 Mike McCune 2016-03-28 18:43:24 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 5 Scott Poore 2016-07-07 17:52:52 EDT
Verified.

Version ::

ipa-server-4.4.0-1.el7.x86_64

Results ::

First master installed, then replica was installed with --setup-ca instead of running ipa-ca-install separately.

[root@replica ~]# ipa-ca-install
CA is already installed on this host.

[root@replica ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

To confirm only KRA installation:

[root@master ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

dn: cn=replica.testrelm.test:443,cn=KRAList,ou=Security Domain,o=ipaca
SubsystemName: KRA replica.testrelm.test 8443

[root@master ~]#
Comment 7 errata-xmlrpc 2016-11-04 01:41:33 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.