Bug 1667434 - pki spawn fails for IPA replica install from RHEL6 IPA master
Summary: pki spawn fails for IPA replica install from RHEL6 IPA master
Status: CLOSED DUPLICATE of bug 1650155
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Depends On:
Blocks: 1672180
TreeView+ depends on / blocked
Reported: 2019-01-18 13:31 UTC by Kaleem
Modified: 2019-03-11 23:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Installing an IdM replica on RHEL 7.6 fails if the IdM master runs on RHEL 6 With the update of the pki-core package provided by the RHBA-2019:XXXX advisory, certain ciphers are no longer enabled by default in the Identity Management (IdM) Certificate Authority (CA). As a consequence, setting up an IdM server with integrated CA on RHEL 7.6 as a replica of a master running on RHEL 6 fails with a "CRITICAL Failed to configure CA instance" error. To work around the problem, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file: +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha As a result, the IdM installation on RHEL 7.6 no longer fails. Note that installing a CA-less IdM replica on RHEL 7.6 works as expected even without this workaround.
Clone Of:
: 1672180 (view as bug list)
Last Closed: 2019-03-11 23:36:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
pki spwan log file (153.85 KB, text/plain)
2019-01-18 13:31 UTC, Kaleem
no flags Details
ipa replica install log file (190.15 KB, text/plain)
2019-01-18 13:32 UTC, Kaleem
no flags Details

Description Kaleem 2019-01-18 13:31:43 UTC
Created attachment 1521546 [details]
pki spwan log file

Description of problem:
pki instance creation fails during replica install on RHEL-7.6 master from RHEL6.10 master.

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp8tf06l' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    CA configuration failed.
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install IPA master on RHEL-6.10
2. Copy copy-schema-to-ca.py from 7.6 replica on Master and execute it
3. Generate replica gpg file on RHEL-6.10 master
4. Install replica on 7.6 replica with --setup-ca option

Actual results:
Replica install fails

Expected results:
Replica install should be successful

Additional info:
1. Replica install without --setup-ca option is successful
2. log files of pki instance are attached.

Comment 3 Kaleem 2019-01-18 13:32:39 UTC
Created attachment 1521547 [details]
ipa replica install log file

Note You need to log in before you can comment on or make changes to this bug.