2034571 – pkispawn fails in interactive mode

Bug 2034571 - pkispawn fails in interactive mode

Summary: pkispawn fails in interactive mode

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Certificate System
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	10.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	certsys-10.4
Assignee:	Chris Kelley
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-21 10:48 UTC by Aleksandr Sharov
Modified:	2022-05-31 13:44 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-31 13:44:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCS-2999	0	None	None	None	2022-05-24 16:31:41 UTC

Description Aleksandr Sharov 2021-12-21 10:48:22 UTC

Description of problem:

pkispawn fails on clean installation:

[root@ca pki]# pkispawn -s CA

IMPORTANT:

    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [ca.local]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes
  Secure LDAPS Port [636]: 
  Directory Server CA certificate pem file: /etc/dirsrv/slapd-ca/ca.crt
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 
  Base DN already exists. Overwrite (Yes/No/Quit)? Yes

Security Domain:
  Name [local Security Domain]: 

Begin installation (Yes/No/Quit)? yes

Installation log: /var/log/pki/pki-ca-spawn.20211221113549.log
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
Job for pki-tomcatd failed because the control process exited with error code.
See "systemctl status pki-tomcatd" and "journalctl -xe" for details.
ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
    instance.start()
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start
    subprocess.check_call(cmd)
  File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
    raise CalledProcessError(retcode, cmd)


Installation failed: Command failed: systemctl start pki-tomcatd

Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20211221113549.log

[root@ca pki]# cat /var/log/pki/pki-ca-spawn.20211221113549.log
2021-12-21 11:36:49 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
    instance.start()
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 263, in start
    subprocess.check_call(cmd)
  File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
    raise CalledProcessError(retcode, cmd)



Version-Release number of selected component (if applicable):
[root@ca ~]# cat /usr/share/pki/CS_SERVER_VERSION
Red Hat Certificate System 10.2
[root@ca ~]# dnf install pki-ca | grep pki-ca
Package pki-ca-10.10.5-3.module+el8pki+11223+7a85b62e.noarch is already installed.
[root@ca ~]# cat  /etc/pki/pki.version 
Configuration-Version: 10.10.5
root@ca pki]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 (Ootpa)
[root@ca pki]# fips-mode-setup --check
FIPS mode is enabled.

How reproducible:
100%

Steps to Reproduce:
1. install DS, create instance, check ldaps connectivity
2. install redhat-pki module as described in 10.2 release notes, otherwise you get conflicts
3. Run pkispawn -s CA

Actual results:
Service fails:
-- Unit pki-tomcatd has begun starting up.
Dec 21 11:36:49 ca.local pki-server[42247]: ProviderException: Initialization failed
Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Control process exited, code=exited status=255
Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd


Expected results:
service starts as expected, pkispawn is succesfull

Additional info:
sosreport will be attached

Comment 14 Petr Čech 2022-05-31 13:44:26 UTC

Chris demonstrated in a RHEL 8.5 VM with RHCS 10.3 that this is working.
So, closing this bug.

Note You need to log in before you can comment on or make changes to this bug.