Description of problem: pkispawn fails on clean installation: [root@ca pki]# pkispawn -s CA IMPORTANT: Interactive installation currently only exists for very basic deployments! For example, deployments intent upon using advanced features such as: * Cloning, * Elliptic Curve Cryptography (ECC), * External CA, * Hardware Security Module (HSM), * Subordinate CA, * etc., must provide the necessary override parameters in a separate configuration file. Run 'man pkispawn' for details. Tomcat: Instance [pki-tomcat]: HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [caadmin]: Password: Verify password: Import certificate (Yes/No) [N]? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: Directory Server: Hostname [ca.local]: Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes Secure LDAPS Port [636]: Directory Server CA certificate pem file: /etc/dirsrv/slapd-ca/ca.crt Bind DN [cn=Directory Manager]: Password: Base DN [o=pki-tomcat-CA]: Base DN already exists. Overwrite (Yes/No/Quit)? Yes Security Domain: Name [local Security Domain]: Begin installation (Yes/No/Quit)? yes Installation log: /var/log/pki/pki-ca-spawn.20211221113549.log Installing CA into /var/lib/pki/pki-tomcat. Notice: Trust flag u is set automatically if the private key is present. Job for pki-tomcatd failed because the control process exited with error code. See "systemctl status pki-tomcatd" and "journalctl -xe" for details. ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn instance.start() File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) Installation failed: Command failed: systemctl start pki-tomcatd Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20211221113549.log [root@ca pki]# cat /var/log/pki/pki-ca-spawn.20211221113549.log 2021-12-21 11:36:49 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn instance.start() File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start subprocess.check_call(cmd) File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call raise CalledProcessError(retcode, cmd) Version-Release number of selected component (if applicable): [root@ca ~]# cat /usr/share/pki/CS_SERVER_VERSION Red Hat Certificate System 10.2 [root@ca ~]# dnf install pki-ca | grep pki-ca Package pki-ca-10.10.5-3.module+el8pki+11223+7a85b62e.noarch is already installed. [root@ca ~]# cat /etc/pki/pki.version Configuration-Version: 10.10.5 root@ca pki]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) [root@ca pki]# fips-mode-setup --check FIPS mode is enabled. How reproducible: 100% Steps to Reproduce: 1. install DS, create instance, check ldaps connectivity 2. install redhat-pki module as described in 10.2 release notes, otherwise you get conflicts 3. Run pkispawn -s CA Actual results: Service fails: -- Unit pki-tomcatd has begun starting up. Dec 21 11:36:49 ca.local pki-server[42247]: ProviderException: Initialization failed Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Control process exited, code=exited status=255 Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd Expected results: service starts as expected, pkispawn is succesfull Additional info: sosreport will be attached
Chris demonstrated in a RHEL 8.5 VM with RHCS 10.3 that this is working. So, closing this bug.