1409786 – Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1409786 - Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running

Summary: Second phase of --external-ca ipa-server-install setup fails when dirsrv is n...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	fbarreto
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1405325
TreeView+	depends on / blocked

Reported:	2017-01-03 11:25 UTC by Jan Pazdziora (Red Hat)
Modified:	2018-04-10 16:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.5.4-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 16:40:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0918	0	None	None	None	2018-04-10 16:41:35 UTC

Description Jan Pazdziora (Red Hat) 2017-01-03 11:25:12 UTC

Description of problem:

When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fails with

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-14.el7_3.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U

Actual results:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

/var/log/ipaserver-install.log ends with

2017-01-03T11:17:54Z DEBUG Starting external process
2017-01-03T11:17:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_
2017-01-03T11:17:54Z DEBUG Process finished, return code=1
2017-01-03T11:17:54Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170103061754.log
Loading deployment configuration from /tmp/tmp9WqbH_.
ERROR:  Unable to access directory server: Can't contact LDAP server

2017-01-03T11:17:54Z DEBUG stderr=
2017-01-03T11:17:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
2017-01-03T11:17:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-01-03T11:17:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-01-03T11:17:54Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-01-03T11:17:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1357, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 773, in install
    ca.install_step_0(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 173, in install_step_0
    ca_signing_algorithm=options.ca_signing_algorithm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance
    self.start_creation(runtime=210)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2017-01-03T11:17:54Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z ERROR CA configuration failed.
2017-01-03T11:17:54Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

No error, the installer makes sure that anything that it needs to be running got started.

Additional info:

This causes problems especially in unattended container installations when completely new container is run for the second phase and the dirsrv is thus not up.

Comment 2 Petr Vobornik 2017-01-13 17:30:27 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6611

Comment 3 fbarreto 2017-07-27 11:45:34 UTC

PR: https://github.com/freeipa/freeipa/pull/933

Comment 4 Tomas Krizek 2017-09-21 08:24:57 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/bf0b74bec4dc8b75a71d9e8d1374755a81d8b1df

Comment 6 Mohammad Rizwan 2018-01-10 06:23:50 UTC

version:
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Actual result:
ipa install succeed. see attached console logs.

Thus marking bug as verified.

Comment 8 Florence Blanc-Renaud 2018-01-12 15:33:23 UTC

Moving to assigned as the backport was missing from ipa-4-5

Comment 9 Florence Blanc-Renaud 2018-01-15 09:25:18 UTC

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/d20cac725fcf47ed581841a0b234bd6ce918b51d

Comment 13 Nikhil Dehadrai 2018-01-25 10:52:15 UTC

IPA_SERVER-VERSION: ipa-server-4.5.4-9.el7.x86_64
DIRECTORY Server version: 389-ds-base-1.3.7.5-13.el7.x86_64

Verified the bug on the basis of following steps and observations:

Steps:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U
3. systemctl stop dirsrv
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U

Observation:
1. ipa  server installation is successful.
2. No error messages are observed:

[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "Failed to configure CA instance"
[root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "CA configuration failed"
[root@auto-hv-01-guest05 testdb]# 

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.

Comment 17 errata-xmlrpc 2018-04-10 16:40:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918

Note You need to log in before you can comment on or make changes to this bug.