Created attachment 1241636 [details] CA instance spawn log Description of problem: When installing FreeIPA w/ CA on rawhide, the installation fails with faimiliar error: {{{ Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information }}} Inspecting installation logs hints at some issue with unicode vs. bytes handling during CA instance creation using pkispawn: {{{ 2017-01-17T07:01:18Z DEBUG Starting external process 2017-01-17T07:01:18Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a 2017-01-17T07:01:19Z DEBUG Process finished, return code=1 2017-01-17T07:01:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170117070118.log Loading deployment configuration from /tmp/tmpANra4a. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: stat() argument 1 must be encoded string without null bytes, not str }}} an this is indeed confirmed when examining the pik-ca-spawn logs (attached): {{{ 2017-01-17 07:01:19 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-oI6sY0 -f /root/.dogtag/pki-tomcat/ca/password.conf' 2017-01-17 07:01:19 pkispawn : DEBUG ....... Error Type: TypeError 2017-01-17 07:01:19 pkispawn : DEBUG ....... Error Message: stat() argument 1 must be encoded string without null bytes, not str 2017-01-17 07:01:19 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 301, in spawn if len(deployer.instance.tomcat_instance_subsystems()) < 2: File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 1028, in tomcat_instance_subsystems if os.path.exists(path) and os.path.isdir(path): File "/usr/lib64/python2.7/genericpath.py", line 26, in exists os.stat(path) }}} This issue currently blocks FreeIPA installation on rawhide. Please resolve ASAP. Version-Release number of selected component (if applicable): # rpm -q pki-ca pki-ca-10.3.5-10.fc26.noarch # rpm -q freeipa-server How reproducible: Always Steps to Reproduce: 1. Try to install FreeIPA server with self-signed CA provided by Dogtag Actual results: Installation fails during CA subsystem spawn. Expected results: Installation produces a working FreeIPA server Additional info: The installation works in freeipa/freeipa-server:fedora-rawhide Docker image built on 2017-01-11T13:53:49.455Z and also on freshly built Docker image launched on Fedora Atomic Host 25. Adding some debug prints into "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" reveals that on one occasion, PKI_INSTANCE_PATH constant from "/usr/lib/python2.7/site-packages/pki/server/deployment/config.py" holds a value containing non-printable character: {{{ PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/ocsp [type <type 'str'>] PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/tks [type <type 'str'>] PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/tps [type <type 'str'>] PKI instance path: /var/lib/pki^@pki-tomcat <---- Path: /var/lib/pki^@pki-tomcat/ca [type <type 'str'>] }}}
Upstream ticket: https://fedorahosted.org/pki/ticket/2591
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
Please re-try this with the following packages installed on rawhide: * https://koji.fedoraproject.org/koji/buildinfo?buildID=874334 jss-4.4.1-1.fc27 * https://koji.fedoraproject.org/koji/buildinfo?buildID=874340 tomcatjss-7.2.2-1.fc27 * https://koji.fedoraproject.org/koji/buildinfo?buildID=874564 pki-core-10.4.1-2.fc27
(In reply to Matthew Harmsen from comment #3) > Please re-try this with the following packages installed on rawhide: > > * https://koji.fedoraproject.org/koji/buildinfo?buildID=874334 > jss-4.4.1-1.fc27 > * https://koji.fedoraproject.org/koji/buildinfo?buildID=874340 > tomcatjss-7.2.2-1.fc27 > * https://koji.fedoraproject.org/koji/buildinfo?buildID=874564 > pki-core-10.4.1-2.fc27 [20170407] - Received word back from amarecek that this issue is now resolved on Fedora 27 "rawhide".
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.