1795215 – pkispawn interactive installation failed.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1795215 - pkispawn interactive installation failed.

Summary: pkispawn interactive installation failed.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.2
Hardware:	All
OS:	All
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	Alex Scheel
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-27 13:10 UTC by Gaurav Swami
Modified:	2023-04-29 09:43 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pki-core-10.6-8020020200219144652.c7c3114f
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 15:45:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-37538	0	None	None	None	2023-04-29 09:43:21 UTC
Red Hat Product Errata	RHSA-2020:1644	0	None	None	None	2020-04-28 15:46:04 UTC

Description Gaurav Swami 2020-01-27 13:10:00 UTC

Description of problem:

pkispawn Interactive installation failed.

Version-Release number of selected component (if applicable):

Name        : pki-ca
Version     : 10.8.0
Release     : 0.5.module+el8.2.0+5469+26e16009
Architecture: noarch
Install Date: Mon 27 Jan 2020 03:25:55 AM EST
Group       : Unspecified
Size        : 2466757
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Thu 16 Jan 2020 07:32:15 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.0-0.5.module+el8.2.0+5469+26e16009.src.rpm
Build Date  : Thu 16 Jan 2020 05:44:55 PM EST
Build Host  : arm64-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/
Summary     : PKI CA Package



How reproducible:


Steps to Reproduce:
1. Install DS instance

2. Install CA instance with pkispawn interactive mode.

3.

Actual results:

-----------------
Directory Server:
  Hostname [hpe-dl380pgen8-02-vm-5.hpe2.lab.eng.bos.redhat.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes
  Secure LDAPS Port [636]: 
  Directory Server CA certificate pem file: /root/sign.crt
  Bind DN [cn=Directory Manager]: 
  Password: 
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration
    deployer.ds_connect()
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect
    self.ds_connection = ldap.initialize(self.ds_url)
  File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize
    return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__
    self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
  File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call
    result = func(*args,**kwargs)
TypeError: initialize() argument 1 must be str, not None

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 939, in <module>
    main(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 335, in main
    verify_ds_configuration()
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 73, in verify_ds_configuration
    deployer.ds_close()
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 227, in ds_close
    self.ds_connection.unbind_s()
AttributeError: 'NoneType' object has no attribute 'unbind_s'
-----------------


Expected results:

CA instance installation should succeed.

Additional info:

CA installation with configuration file works, but interactive installation fails.

Comment 1 Pritam Singh 2020-01-28 08:03:53 UTC

Also Failing with KRA installation in interactive mode:


Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki2.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? Y
  Secure LDAPS Port [636]: 
  Directory Server CA certificate pem file: ds.crt
  Bind DN [cn=Directory Manager]: 
  Password: 
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration
    deployer.ds_connect()
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect
    self.ds_connection = ldap.initialize(self.ds_url)
  File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize
    return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__
    self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
  File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call
    result = func(*args,**kwargs)
TypeError: initialize() argument 1 must be str, not None

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 939, in <module>
    main(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 335, in main
    verify_ds_configuration()
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 73, in verify_ds_configuration
    deployer.ds_close()
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 227, in ds_close
    self.ds_connection.unbind_s()
AttributeError: 'NoneType' object has no attribute 'unbind_s'

Version:

[root@pki2 test_dir]# rpm -qi pki-kra
Name        : pki-kra
Version     : 10.8.0
Release     : 0.5.module+el8.2.0+5469+26e16009
Architecture: noarch
Install Date: Tue 21 Jan 2020 03:03:29 AM EST
Group       : Unspecified
Size        : 536414
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Thu 16 Jan 2020 07:32:15 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.0-0.5.module+el8.2.0+5469+26e16009.src.rpm
Build Date  : Thu 16 Jan 2020 05:44:55 PM EST
Build Host  : arm64-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/
Summary     : PKI KRA Package

Comment 3 Geetika Kapoor 2020-02-18 08:57:29 UTC

code is not getting server url for ds_connect. This looks to be an urgent bug. Thus raising priority so that it can be triaged.

Comment 4 Dinesh Prasanth 2020-02-18 18:32:17 UTC

This bug has been fixed via following PRs and have been merged to upstream master (10.8):

https://github.com/dogtagpki/pki/pull/321
https://github.com/dogtagpki/pki/pull/322

Commit Information:
===================

commit afb708ff5e5fc7402f41170748a0214009821065 (HEAD -> master, origin/master, origin/HEAD)
Author: Dinesh Prasanth M K <SilleBille.github.com>
Date:   Tue Feb 18 13:28:13 2020 -0500

    Fix interactive installation for subsystems other than CA (#322)
    
    When doing an interactive installation, the pkispawn script tries
    to connect to Security Domain via `sd_connect` and attaches user
    credentials. At this point, the user has not been prompted for any
    credentials. So, the authentication happens with empty strings. As
    a result the interactive installation fails.
    
    This was not observed in non-interactive installation because all the info
    is provided via cfg file and is available in the dictionary at the time
    of execution.
    
    This patch moves the authentication logic from `sd_connect()`
    to `sd_login()` (ie) authenticate before trying to log in
    
    The bug was introduced in commit: 08ea62892a894553d8ceae200618c6fa8d7f0585
    
    Resolves: BZ#1795215
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw>

commit 6e1779da72586af627a6c14403342e2bc7d64fda
Author: Alexander Scheel <ascheel>
Date:   Tue Feb 18 09:44:51 2020 -0500

    Fix interactive DS configuration
    
    In f218c64bec0ccfe754a42bdcd46c7c2cfc09bc77, PKIDeployer configuration
    was refactored. This included placing most of the DS specific init logic
    into a separate PKIDeployer.init() call. However, this wasn't issued
    until much later in the PKI Spawn process. During interactive
    installations, the user would be prompted for DS connection information,
    which would subsequently be verified. However, since PKIDeployer.init()
    hadn't yet been called, ds_url was None, resulting in a connection
    failure:
    
        Traceback (most recent call last):
          File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 69, in verify_ds_configuration
            deployer.ds_connect()
          File "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line 214, in ds_connect
            self.ds_connection = ldap.initialize(self.ds_url)
          File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 85, in initialize
            return LDAPObject(uri,trace_level,trace_file,trace_stack_limit,bytes_mode)
          File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 104, in __init__
            self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
          File "/usr/lib64/python3.6/site-packages/ldap/functions.py", line 55, in _ldap_function_call
            result = func(*args,**kwargs)
        TypeError: initialize() argument 1 must be str, not None
    
    Move DS configuration out of init() and into ds_init(); make
    ds_connect() call ds_init() when ds_url is None, and call ds_init() from
    init(). PKI Spawn has been updated to call ds_init() when necessary, and
    also to reset ds_url to None when validation fails, forcing ds_init() to
    be called again.

    Resolves: rh-bz#1795215
    
    Signed-off-by: Alexander Scheel <ascheel>


Test Procedure:
===============
Interactive installation of all subsystems as mentioned by OP

Comment 5 Alex Scheel 2020-02-19 17:24:26 UTC

Checked in to dist-git.

Comment 9 Gaurav Swami 2020-02-20 13:15:11 UTC

Tested Version:

-------------------------------
[root@pki1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.8.2
Release     : 2.module+el8.2.0+5796+110ac6eb
Architecture: noarch
Install Date: Thu 20 Feb 2020 08:02:48 AM EST
Group       : Unspecified
Size        : 2641321
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Wed 19 Feb 2020 12:25:46 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.2-2.module+el8.2.0+5796+110ac6eb.src.rpm
Build Date  : Wed 19 Feb 2020 11:18:08 AM EST
Build Host  : arm64-026.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/

------------------------------------


Case 1:
==========

------------------------
[root@pki1 ~]# pkispawn 

IMPORTANT:

    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki1.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [example.com Security Domain]: 

Begin installation (Yes/No/Quit)? Yes

Installation log: /var/log/pki/pki-ca-spawn.20200220080552.log
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://pki1.example.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

[root@pki1 ~]# 
------------------------



-------------------------
[root@pki1 ~]# pki-server status pki-tomcat
  Instance ID: pki-tomcat
  Active: True
  Unsecure Port: 8080
  Secure Port: 8443
  Tomcat Port: 8005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Registration URL: https://pki1.example.com:8443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:8080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:8443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:8443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:8443/ca/services
    PKI Console URL:     https://pki1.example.com:8443/ca
[root@pki1 ~]# 
------------------------

As observed in POC , it could be seen that fix is working as expected.
Hence, marking this Bugzilla as verified.

Comment 11 errata-xmlrpc 2020-04-28 15:45:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644

Note You need to log in before you can comment on or make changes to this bug.