1409786 – Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running

Bug 1409786 - Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running

Summary: Second phase of --external-ca ipa-server-install setup fails when dirsrv is n...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	fbarreto
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1405325
TreeView+	depends on / blocked

Reported:	2017-01-03 11:25 UTC by Jan Pazdziora
Modified:	2018-04-10 16:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.5.4-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 16:40:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0918	0	None	None	None	2018-04-10 16:41:35 UTC

Description Jan Pazdziora 2017-01-03 11:25:12 UTC

Description of problem:

When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fails with

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-14.el7_3.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U

Actual results:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

/var/log/ipaserver-install.log ends with

2017-01-03T11:17:54Z DEBUG Starting external process
2017-01-03T11:17:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_
2017-01-03T11:17:54Z DEBUG Process finished, return code=1
2017-01-03T11:17:54Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170103061754.log
Loading deployment configuration from /tmp/tmp9WqbH_.
ERROR:  Unable to access directory server: Can't contact LDAP server

2017-01-03T11:17:54Z DEBUG stderr=
2017-01-03T11:17:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
2017-01-03T11:17:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-01-03T11:17:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-01-03T11:17:54Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-01-03T11:17:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1357, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 773, in install
    ca.install_step_0(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 173, in install_step_0
    ca_signing_algorithm=options.ca_signing_algorithm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance
    self.start_creation(runtime=210)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2017-01-03T11:17:54Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z ERROR CA configuration failed.
2017-01-03T11:17:54Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

No error, the installer makes sure that anything that it needs to be running got started.

Additional info:

This causes problems especially in unattended container installations when completely new container is run for the second phase and the dirsrv is thus not up.

Comment 2 Petr Vobornik 2017-01-13 17:30:27 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6611

Comment 3 fbarreto 2017-07-27 11:45:34 UTC

PR: https://github.com/freeipa/freeipa/pull/933

Comment 4 Tomas Krizek 2017-09-21 08:24:57 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/bf0b74bec4dc8b75a71d9e8d1374755a81d8b1df

Comment 6 Mohammad Rizwan 2018-01-10 06:23:50 UTC

version:
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Actual result:
ipa install succeed. see attached console logs.

Thus marking bug as verified.

Comment 8 Florence Blanc-Renaud 2018-01-12 15:33:23 UTC

Moving to assigned as the backport was missing from ipa-4-5

Comment 9 Florence Blanc-Renaud 2018-01-15 09:25:18 UTC

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/d20cac725fcf47ed581841a0b234bd6ce918b51d

Comment 13 Nikhil Dehadrai 2018-01-25 10:52:15 UTC

IPA_SERVER-VERSION: ipa-server-4.5.4-9.el7.x86_64
DIRECTORY Server version: 389-ds-base-1.3.7.5-13.el7.x86_64

Verified the bug on the basis of following steps and observations:

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Observation:
1. ipa  server installation is successful.
2. No error messages are observed:

[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "Failed to configure CA instance"
[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "CA configuration failed"
[root@auto-hv-01-guest05 testdb]# 

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.

Comment 17 errata-xmlrpc 2018-04-10 16:40:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918

Note You need to log in before you can comment on or make changes to this bug.