Bug 2016164
| Summary: | IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mike Ralph <mralph> | ||||
| Component: | pki-core | Assignee: | Marco Fargetta <mfargett> | ||||
| Status: | CLOSED ERRATA | QA Contact: | idm-cs-qe-bugs | ||||
| Severity: | high | Docs Contact: | Florian Delehaye <fdelehay> | ||||
| Priority: | urgent | ||||||
| Version: | 8.5 | CC: | afarley, cfu, ckelley, czinda, fdelehay, jmagne, mfargett, mharmsen, msauton, myusuf, pcech, rcritten, richard.wiggins.ctr, skhandel, ssidhaye, sumenon, tscherf | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.6-8080020230203154518.c5b4fe3c | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-05-16 08:36:02 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Can you also attach /var/log/pki/pki-tomcat/ca/debug? And the output of journalctl -u pki-tomcatd@pki-tomcat (In reply to Rob Crittenden from comment #1) > Can you also attach /var/log/pki/pki-tomcat/ca/debug? > > And the output of journalctl -u pki-tomcatd@pki-tomcat # journalctl -u pki-tomcatd@pki-tomcat -- Logs begin at Thu 2021-10-21 08:37:46 EDT, end at Thu 2021-10-21 08:46:34 EDT. -- Oct 21 08:43:43 idms.beta.example.com systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 21 08:43:45 idms.beta.example.com java[2471]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Oct 21 08:43:47 idms.beta.example.com pki-server[2465]: ProviderException: Initialization failed Oct 21 08:43:47 idms.beta.example.com systemd[1]: pki-tomcatd: Control process exited, code=exited status=255 Oct 21 08:43:47 idms.beta.example.com systemd[1]: pki-tomcatd: Failed with result 'exit-code'. Oct 21 08:43:47 idms.beta.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. The only things that are in /var/log/pki/pki-tomcat/ca/ are the archive and signedAudit directories. I have tried this with just FIPS enabled, no STIG, and it still fails. # journalctl -u pki-tomcatd@pki-tomcat -- Logs begin at Thu 2021-10-21 09:39:05 EDT, end at Thu 2021-10-21 09:49:14 EDT. -- Oct 21 09:47:06 idm.beta.example.com systemd[1]: Starting PKI Tomcat Server pki-tomcat... Oct 21 09:47:08 idm.beta.example.com java[2371]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Oct 21 09:47:09 idm.beta.example.com pki-server[2367]: ProviderException: Initialization failed Oct 21 09:47:09 idm.beta.example.com systemd[1]: pki-tomcatd: Control process exited, code=exited status=255 Oct 21 09:47:09 idm.beta.example.com systemd[1]: pki-tomcatd: Failed with result 'exit-code'. Oct 21 09:47:09 idm.beta.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. There is still no debug file in /var/log/pki/pki-tomcat/ca/ and only the same two directories as above. Re-assigning product since it is the CA that is failing to start. Here is where it fails when i have -d option with ipa-server-install
-----------------------------------------
INFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
INFO: Starting PKI server
DEBUG: Command: systemctl start pki-tomcatd
Job for pki-tomcatd failed because the control process exited with error code.
See "systemctl status pki-tomcatd" and "journalctl -xe" for details.
CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 702, in spawn
timeout=deployer.request_timeout)
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 335, in start
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance
nolog_list=nolog_list
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error
) from None
RuntimeError: CA configuration failed.
[error] RuntimeError: CA configuration failed.
[error] RuntimeError: CA configuration failed.
Removing /root/.dogtag/pki-tomcat/ca
File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 575, in main
master_install(self)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 275, in decorated
func(installer)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 909, in install
ca.install_step_0(False, None, options, custodia=custodia)
File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0
pki_config_override=options.pki_config_override,
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 503, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance
nolog_list=nolog_list
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error
) from None
The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
CA configuration failed.
@ CC: zthompso Hello,
11/24/2021 -
We are having the same issue with running either ipa-server-install or ipa-replica-install on RHEL8.5 ipa-server 4.9.6 when selecting the DISA STIG security profile.
11/25/2021 -
Today I ran a lab running either ipa-server-install and ipa-replica-install on multiple VM with different configurations:
The ipa-server-install or ipa-replica-install fails at -
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
when FIPS mode is not enabled, but DISA STIG is selected under Security Profile.
when FIPS mode is enabled and DISA STIG is selected under Security Profile.
-----------------------------------------------------------------------------------------------------
The installation succeeds if;
FIPS mode is not enabled and DISA STIG is not selected under Security Profile.
FIPS mode is enabled and DISA STIG is not selected under Security Profile.
a review of /var/log/pki/pki-tomcat/ca/debug.2021-11-24.log has repeated instances of
"java.security.AccessControlException: access denied: ("java.io.FilePermission" "/var/run/pki/tomcat/pki-tomcat.pid" "read")
Hope this helps some. We are in an "air-gapped" network so I cannot export the logs, the ipaserver-install.log and ipareplica-install.log do not contain failures,
so I reviewed the debug log to find it full of the errors listed above.
Thank you,
Rick
To get this installed I had to downgrade the three openjdk packages. They are currently at: java-1.8.0-openjdk.x86_64 1:1.8.0.302.b08-0.el8_4 java-1.8.0-openjdk-devel.x86_64 1:1.8.0.302.b08-0.el8_4 java-1.8.0-openjdk-headless.x86_64 1:1.8.0.302.b08-0.el8_4 The same three packages were originally at 1:1.8.0.312.b07-1.el8_4 when IdM failed to install. I had attempted this previously rolling it back several versions, this did not work in any of the instances I tested it in with the above conditions, either applying DISA STIG profile at install OR applying it after installation with openscap --remediate. (In reply to Zachary Thompson from comment #12) > I had attempted this previously rolling it back several versions, this did > not work in any of the instances I tested it in with the above conditions, > either applying DISA STIG profile at install OR applying it after > installation with openscap --remediate. My testing was done with DISA STIG applied at install and downgrading openjdk once from the current release. *** Bug 2168264 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pki-core:10.6 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2826 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Created attachment 1835336 [details] ipaserver-install log Description of problem: - IdM fails to install on RHEL 8.5 BETA when DISA STIG is applied. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. Version-Release number of selected component (if applicable): - RHEL 8.5 BETA How reproducible: - Always Steps to Reproduce: 1. Install RHEL 8.5 BETA 2. Run "ipa-server-install --mkhomedir --setup-dns --no-forwarders --reverse-zone=110.168.192.in-addr.arpa --no-dnssec-validation --allow-zone-overlap --setup-adtrust --netbios-name=BETA --setup-kra" Actual results: - Install fails during "Configuring certificate server (pki-tomcatd)" phase. Expected results: - Install succeeds. Additional info: - attached ipaserver-install.log