Description of problem: Running ipa-server-install in container fails at the step [27/28]: adding 'ipa' CA entry [28/28]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: request timed out Version-Release number of selected component (if applicable): freeipa-server-4.7.0-1.fc29.x86_64 certmonger-0.79.6-2.fc29.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Build container image from https://github.com/freeipa/freeipa-container with -f Dockerfile.freeipa-rawhide. 2. Run the container with docker run -h ipa.example.test \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ -v $(pwd)/data:/data:Z \ -e PASSWORD=Secret123 "$IMAGE" \ exit-on-finished -U -r EXAMPLE.TEST --setup-dns --no-forwarders --no-ntp Actual results: [22/28]: updating IPA configuration [23/28]: enabling CA instance [24/28]: migrating certificate profiles to LDAP [25/28]: importing IPA certificate profiles [26/28]: adding default CA ACL [27/28]: adding 'ipa' CA entry [28/28]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: request timed out FreeIPA server configuration failed. Expected results: ipa-server-install does not fail. Additional info: Notable from journal is Sep 02 08:43:45 ipa.example.test ipa-submit[1569]: GSSAPI client step 1 Sep 02 08:43:45 ipa.example.test ipa-submit[1569]: GSSAPI client step 1 Sep 02 08:43:54 ipa.example.test systemd[1]: Started Certificate monitoring and PKI enrollment. Sep 02 08:44:18 ipa.example.test certmonger[1690]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. Sep 02 08:45:06 ipa.example.test certmonger[2451]: OSSLEVPSymmetricAlgorithm.cpp(543): EVP_DecryptFinal failed (0x00000000): error:06 065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Sep 02 08:45:06 ipa.example.test certmonger[2452]: OSSLEVPSymmetricAlgorithm.cpp(543): EVP_DecryptFinal failed (0x00000000): error:06 065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Sep 02 08:45:06 ipa.example.test certmonger[2453]: OSSLEVPSymmetricAlgorithm.cpp(543): EVP_DecryptFinal failed (0x00000000): error:06 065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt The ipaserver-install.log ends with 2018-09-02T08:45:04Z DEBUG stdout= 2018-09-02T08:45:04Z DEBUG stderr= 2018-09-02T08:45:04Z DEBUG Starting external process 2018-09-02T08:45:04Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-EXAMPLE-TEST/', '-A', '-n', 'EXAMPLE.TEST IPA CA', '-t', 'CT,C,C', '-a', '-f', '/etc/dirsrv/slapd-EXAMPLE-TEST/pwdfile.txt'] 2018-09-02T08:45:04Z DEBUG Process finished, return code=0 2018-09-02T08:45:04Z DEBUG stdout= 2018-09-02T08:45:04Z DEBUG stderr= 2018-09-02T08:45:06Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_READING_KEYINFO', variant_level=1) 2018-09-02T08:45:11Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:16Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:21Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:26Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:31Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:37Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:45:42Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) [...] 2018-09-02T08:49:43Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:49:48Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:49:53Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:49:58Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:50:03Z DEBUG certmonger request is in state dbus.String('NEWLY_ADDED_NEED_KEYINFO_READ_PIN', variant_level=1) 2018-09-02T08:50:10Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 856, in __enable_ssl resubmit_timeout=api.env.replication_wait_timeout File "/usr/lib/python3.7/site-packages/ipalib/install/certmonger.py", line 329, in request_and_wait_for_cert state = wait_for_request(req_id, api.env.replication_wait_timeout) File "/usr/lib/python3.7/site-packages/ipalib/install/certmonger.py", line 706, in wait_for_request raise RuntimeError("request timed out") RuntimeError: request timed out 2018-09-02T08:50:10Z DEBUG [error] RuntimeError: request timed out 2018-09-02T08:50:10Z DEBUG File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 602, in main master_install(self) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 253, in decorated func(installer) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 860, in install ds.enable_ssl() File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 358, in enable_ssl self.start_creation() File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 856, in __enable_ssl resubmit_timeout=api.env.replication_wait_timeout File "/usr/lib/python3.7/site-packages/ipalib/install/certmonger.py", line 329, in request_and_wait_for_cert state = wait_for_request(req_id, api.env.replication_wait_timeout) File "/usr/lib/python3.7/site-packages/ipalib/install/certmonger.py", line 706, in wait_for_request raise RuntimeError("request timed out") 2018-09-02T08:50:10Z DEBUG The ipa-server-install command failed, exception: RuntimeError: request timed out 2018-09-02T08:50:10Z ERROR request timed out 2018-09-02T08:50:10Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
NSS crypto policy was updated to add p11-kit-proxy which makes visible additional tokens which certmonger does not currently handle properly. I'm working on it. *** This bug has been marked as a duplicate of bug 1619573 ***