Hide Forgot
Description of problem: When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fails with Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. yum install -y ipa-server 2. ipa-server-install --external-ca -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U 3. systemctl stop dirsrv@EXAMPLE-TEST.service 4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb 5. certutil -N -d . --empty-password 6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5 7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt 8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a 9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U Actual results: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information /var/log/ipaserver-install.log ends with 2017-01-03T11:17:54Z DEBUG Starting external process 2017-01-03T11:17:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_ 2017-01-03T11:17:54Z DEBUG Process finished, return code=1 2017-01-03T11:17:54Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170103061754.log Loading deployment configuration from /tmp/tmp9WqbH_. ERROR: Unable to access directory server: Can't contact LDAP server 2017-01-03T11:17:54Z DEBUG stderr= 2017-01-03T11:17:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1 2017-01-03T11:17:54Z CRITICAL See the installation logs and the following files/directories for more information: 2017-01-03T11:17:54Z CRITICAL /var/log/pki/pki-tomcat 2017-01-03T11:17:54Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2017-01-03T11:17:54Z DEBUG [error] RuntimeError: CA configuration failed. 2017-01-03T11:17:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1357, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 773, in install ca.install_step_0(False, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 173, in install_step_0 ca_signing_algorithm=options.ca_signing_algorithm) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 437, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 590, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2017-01-03T11:17:54Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2017-01-03T11:17:54Z ERROR CA configuration failed. 2017-01-03T11:17:54Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: No error, the installer makes sure that anything that it needs to be running got started. Additional info: This causes problems especially in unattended container installations when completely new container is run for the second phase and the dirsrv is thus not up.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6611
PR: https://github.com/freeipa/freeipa/pull/933
Fixed upstream master: https://pagure.io/freeipa/c/bf0b74bec4dc8b75a71d9e8d1374755a81d8b1df
version: ipa-server-4.5.4-7.el7.x86_64 389-ds-base-1.3.7.5-11.el7.x86_64 Steps: 1. yum install -y ipa-server 2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U 3. systemctl stop dirsrv@TESTRELM-TEST.service 4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb 5. certutil -N -d . --empty-password 6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5 7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt 8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a 9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U Actual result: ipa install succeed. see attached console logs. Thus marking bug as verified.
Moving to assigned as the backport was missing from ipa-4-5
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/d20cac725fcf47ed581841a0b234bd6ce918b51d
IPA_SERVER-VERSION: ipa-server-4.5.4-9.el7.x86_64 DIRECTORY Server version: 389-ds-base-1.3.7.5-13.el7.x86_64 Verified the bug on the basis of following steps and observations: Steps: 1. yum install -y ipa-server 2. ipa-server-install --external-ca -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U 3. systemctl stop dirsrv@TESTRELM-TEST.service 4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb 5. certutil -N -d . --empty-password 6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname -2 -1 -5 7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt 8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA certificate" -d . -a 9. ipa-server-install --external-cert-file=/root/ipa.crt --external-cert-file=/var/tmp/testdb/iparootca.crt -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U Observation: 1. ipa server installation is successful. 2. No error messages are observed: [root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "Failed to configure CA instance" [root@auto-hv-01-guest05 testdb]# cat /var/log/ipaserver-install.log | grep "CA configuration failed" [root@auto-hv-01-guest05 testdb]# Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918