1285071 – ipa-kra-install fails on replica looking for admin cert file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1285071 - ipa-kra-install fails on replica looking for admin cert file

Summary: ipa-kra-install fails on replica looking for admin cert file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-24 19:50 UTC by Scott Poore
Modified:	2016-11-04 05:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.4.0-0.el7.1.alpha1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:41:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Scott Poore 2015-11-24 19:50:51 UTC

Description of problem:

ipa-kra-install is failing when run on replica before running on master.

[root@rhel7-2 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmppAs9nw'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

Looking at ipa-kra-install.log directs me to the pkispawn log which shows this:

2015-11-24 13:18:23 pkispawn    : INFO     ....... constructing PKI configuration data.
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Type: IOError
2015-11-24 13:18:23 pkispawn    : DEBUG    ....... Error Message: [Errno 2] No such file or directory: '/root/.dogtag/pki-tomcat/ca_admin.cert'
2015-11-24 13:18:23 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 112, in spawn
    data = deployer.config_client.construct_pki_configuration_data()
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4026, in construct_pki_configuration_data
    self.set_admin_parameters(data)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4405, in set_admin_parameters
    with open(self.mdict['pki_admin_cert_file'], "r") as f:

Then I check and cannot see this file on the replica:

[root@rhel7-2 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: cannot open (No such file or directory)


However, I can see it on the master:

[root@rhel7-1 ~]# file /root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert: ASCII text, with CRLF line terminators

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.2.x86_64

How reproducible:

unknown

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Replica
3.  ipa-ca-install on replica
4.  ipa-kra-install on replica

Actual results:
fails as shown above.

Expected results:
installs first KRA on replica.

Additional info:

Comment 1 Petr Vobornik 2015-11-25 14:46:17 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5460

Comment 2 Petr Vobornik 2016-01-25 23:02:02 UTC

Upstream ticket was fixed:

master:
    efeb7d54ba7e3145a7a0b50c4b275d208cb656e6 ipa-kra-install: allow to install first KRA on replica
    bbbe411f357b7fbad533b5211a90bb0558b1abbe Modify error message to install first instance of KRA 

ipa-4-2:
    991e57b09210af00e7fb40cc49745d42c46568f8 ipa-kra-install: allow to install first KRA on replica
    cacca7bade36d5b01dd8c3568e41abb2b183aa50 Modify error message to install first instance of KRA

Comment 3 Mike McCune 2016-03-28 22:43:24 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 5 Scott Poore 2016-07-07 21:52:52 UTC

Verified.

Version ::

ipa-server-4.4.0-1.el7.x86_64

Results ::

First master installed, then replica was installed with --setup-ca instead of running ipa-ca-install separately.

[root@replica ~]# ipa-ca-install
CA is already installed on this host.

[root@replica ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

To confirm only KRA installation:

[root@master ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

dn: cn=replica.testrelm.test:443,cn=KRAList,ou=Security Domain,o=ipaca
SubsystemName: KRA replica.testrelm.test 8443

[root@master ~]#

Comment 7 errata-xmlrpc 2016-11-04 05:41:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.