Fedora Account System
Red Hat Associate
Red Hat Customer
In Fedora rawhide, python 3.15 was built and many (all) packages shipping python code were rebuilt. Since then, ipa-server-install fails at the Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/33]: configuring certificate server instance step but only when freeipa-healthcheck is also installed. Reproducible: Always Steps to Reproduce: 1. Have a fresh VM created from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-Rawhide-20260607.n.0.x86_64.qcow2 2. dnf install -y --setopt=install_weak_deps=False freeipa-server freeipa-healthcheck 3. Check that you got at least versions freeipa-server-4.13.1-16.fc45.1.x86_64 and freeipa-healthcheck-0.19-7.fc45.noarch, those are packages that seem to have that python 3.15 rebuilts. 4. ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 Actual Results: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/33]: configuring certificate server instance Failed to configure CA instance See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information /var/log/ipaserver-install.log ends with DEBUG: Command: pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf nss-cert-export --format PEM caSigningCert cert-pki-ca DEBUG: stdout: b'-----BEGIN CERTIFICATE-----\r\nMIIEWzCCAsOgAwIBAgIQVPwylcrjGv9IdafYhtnBITANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQK\r\nDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yNjA2MDcw\r\nODQzNDNaFw00NjA2MDcwODQzNDNaMDcxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEeMBwGA1UEAwwV\r\nQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwGGh\r\n5085Simo841mVifJVqAyiQ5zOusS5cWhUcKetNw318ygLlt41sFPGScLjpW30/66hbrsIcBBSo00\r\nFUI0brFzQ5aaMiqUEJrUp2iNlakxmfPTcgP2OSajniKgQxsP6uR0pEkIDjYLdC9BKUykXNJOOQD8\r\n3d2LbkyFG5eHVgAnzCn5uCm1UKtbtI+4mEQdGC0Ioq+PKSQp5Wdqv37OFtwlSsRRSOFEW78Eq6r0\r\n5dj/QSMe0SqEMORpF7CIHSsP3oYxkBwruik7sBXiWWQZhuhwoQSPuTivFUT5dQc4zqwV6AcYkCyi\r\nIZMq2t4+aki34986rk7PhsMZBcIRBGFAnGo8IGZQu5rtIygJ8B09/zb9L369SX2+dA1fhWXTImLd\r\nX7xDR/e85hrn8oh0auWm63V/2aose5z8XzElxywXT3J9SxOBCnI2DWr/K5tab4LCl1mriewKtwBo\r\nowNzOmr9ka9R94PqNv+i+8FWX+zEGpEpPYurjXRmyMqOn4+y+HRXAgMBAAGjYzBhMB0GA1UdDgQW\r\nBBTDMQjbr150R+fhZ0SwciVk5ac//jAfBgNVHSMEGDAWgBTDMQjbr150R+fhZ0SwciVk5ac//jAP\r\nBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAYEATK5Luw+D\r\nF+/O2oMHe0psJnIPpGk9JsEhWwPX2UpgUkef2iXgH2vq+qTXFfDKihWqBiM2g3NIMA3bFkwHedSr\r\npSqskQ9/WA2QxRduejyWCJjq7ZS7z92bzI+Cx+JgRhfpKR7XqTxRnaV8O0fPpAISqtLeA8P4nRMk\r\nOgmxLqtxsvBN8VNA5ssdjICResF+NkbaBzPAjq8qay8HuVTr5kVJldh1TLvY4NOIYvTEkracEB6X\r\nuKtvAOsTHrV4eqX50N7chDt+bj2yq6Kgez6/jYBrUJGd9pJwh+B3wo3Atgr4APSW+3wdriojns3Y\r\nAphb+vpWxvccTRmZd/6d9FHNgbygWaUUPdQgFp6kpaWE+GTVXokvZ4CkNT24S2XZtjk6CoIvQZcj\r\noNDS9dVc3gilcm5nfpLuIMfv7A0ytn9hgAM58f12lCRi7wWzHhkqCEfzTTC4QYI7NGlzITyo0Za5\r\n1nyxDT4JvSnKeIK0tdhd8DogbW6IyRjPGPDv9LfFR1nr1nWc\r\n-----END CERTIFICATE-----\r\n' DEBUG: stderr: Error in import line from /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth: import sys, types, os;p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('ipahealthcheck',));importlib = __import__('importlib.util');__import__('importlib.machinery');m = sys.modules.setdefault('ipahealthcheck', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('ipahealthcheck', [os.path.dirname(p)])));m = m or sys.modules.setdefault('ipahealthcheck', types.ModuleType('ipahealthcheck'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) Traceback (most recent call last): File "<frozen site>", line 533, in _exec_imports File "<string>", line 1, in <module> KeyError: "local variable ''sitedir'' is not defined" ERROR: Exception: Unable to get certificate caSigningCert cert-pki-ca: Error in import line from /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth: import sys, types, os;p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('ipahealthcheck',));importlib = __import__('importlib.util');__import__('importlib.machinery');m = sys.modules.setdefault('ipahealthcheck', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('ipahealthcheck', [os.path.dirname(p)])));m = m or sys.modules.setdefault('ipahealthcheck', types.ModuleType('ipahealthcheck'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) Traceback (most recent call last): File "<frozen site>", line 533, in _exec_imports File "<string>", line 1, in <module> KeyError: "local variable ''sitedir'' is not defined" File "/usr/lib/python3.15/site-packages/pki/server/pkispawn.py", line 594, in main deployer.spawn() ~~~~~~~~~~~~~~^^ File "/usr/lib/python3.15/site-packages/pki/server/deployment/__init__.py", line 5909, in spawn scriptlet.spawn(self) ~~~~~~~~~~~~~~~^^^^^^ File "/usr/lib/python3.15/site-packages/pki/server/deployment/scriptlets/configuration.py", line 155, in spawn deployer.validate_system_certs(subsystem) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/pki/server/deployment/__init__.py", line 2542, in validate_system_certs subsystem.validate_system_cert('signing') ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/pki/server/subsystem.py", line 427, in validate_system_cert cert = self.get_subsystem_cert(tag) File "/usr/lib/python3.15/site-packages/pki/server/subsystem.py", line 385, in get_subsystem_cert cert_info = self.get_nssdb_cert_info(tag) File "/usr/lib/python3.15/site-packages/pki/server/subsystem.py", line 419, in get_nssdb_cert_info return nssdb.get_cert_info(nickname, token=token) ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/pki/nssdb.py", line 2114, in get_cert_info cert_pem = self.get_cert(nickname=nickname, token=token) File "/usr/lib/python3.15/site-packages/pki/nssdb.py", line 2091, in get_cert raise Exception('Unable to get certificate %s: %s' % (fullname, stderr.strip())) 2026-06-07T08:44:43Z CRITICAL Failed to configure CA instance 2026-06-07T08:44:43Z CRITICAL See the installation logs and the following files/directories for more information: 2026-06-07T08:44:43Z CRITICAL /var/log/pki/pki-tomcat 2026-06-07T08:44:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.15/site-packages/ipaserver/install/service.py", line 688, in start_creation run_step(full_msg, method) ~~~~~~~~^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/service.py", line 674, in run_step method() ~~~~~~^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/cainstance.py", line 700, in __spawn_instance DogtagInstance.spawn_instance( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ self, f.name, ^^^^^^^^^^^^^ nolog_list=nolog_list ^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.15/site-packages/ipaserver/install/dogtaginstance.py", line 251, in spawn_instance self.handle_setup_error(e) ~~~~~~~~~~~~~~~~~~~~~~~^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/dogtaginstance.py", line 668, in handle_setup_error raise RuntimeError( "%s configuration failed." % self.subsystem ) from None RuntimeError: CA configuration failed. 2026-06-07T08:44:43Z DEBUG [error] RuntimeError: CA configuration failed. 2026-06-07T08:44:43Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2026-06-07T08:44:43Z DEBUG File "/usr/lib/python3.15/site-packages/ipapython/admintool.py", line 219, in execute return_value = self.run() File "/usr/lib/python3.15/site-packages/ipapython/install/cli.py", line 343, in run return cfgr.run() ~~~~~~~~^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 360, in run return self.execute() ~~~~~~~~~~~~^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): ~~~~~~~~~~~~~~^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) ~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) ~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/six.py", line 724, in reraise raise value File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 425, in __runner step() ~~~~^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.15/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) ~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/six.py", line 724, in reraise raise value File "/usr/lib/python3.15/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 663, in _configure next(executor) ~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 435, in __runner exc_handler(exc_info) ~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception self._handle_exception(exc_info) ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 526, in _handle_exception self.__parent._handle_exception(exc_info) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) ~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/six.py", line 724, in reraise raise value File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 523, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 458, in _handle_exception six.reraise(*exc_info) ~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/six.py", line 724, in reraise raise value File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 425, in __runner step() ~~~~^^ File "/usr/lib/python3.15/site-packages/ipapython/install/core.py", line 419, in step_next return next(self.__gen) File "/usr/lib/python3.15/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) ~~~~~~~~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/six.py", line 724, in reraise raise value File "/usr/lib/python3.15/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.15/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): ~~~~~~~~~~~~~~~^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/server/__init__.py", line 669, in main master_install(self) ~~~~~~~~~~~~~~^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/server/install.py", line 278, in decorated func(installer) ~~~~^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/server/install.py", line 964, in install ca.install_step_0(False, None, options, custodia=custodia) ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/ca.py", line 611, in install_step_0 ca.configure_instance( ~~~~~~~~~~~~~~~~~~~~~^ host_name, dm_password, dm_password, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ...<19 lines>... token_password=options.token_password, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.15/site-packages/ipaserver/install/cainstance.py", line 537, in configure_instance self.start_creation(runtime=runtime) ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/service.py", line 688, in start_creation run_step(full_msg, method) ~~~~~~~~^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/service.py", line 674, in run_step method() ~~~~~~^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/cainstance.py", line 700, in __spawn_instance DogtagInstance.spawn_instance( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ self, f.name, ^^^^^^^^^^^^^ nolog_list=nolog_list ^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.15/site-packages/ipaserver/install/dogtaginstance.py", line 251, in spawn_instance self.handle_setup_error(e) ~~~~~~~~~~~~~~~~~~~~~~~^^^ File "/usr/lib/python3.15/site-packages/ipaserver/install/dogtaginstance.py", line 668, in handle_setup_error raise RuntimeError( "%s configuration failed." % self.subsystem ) from None 2026-06-07T08:44:43Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2026-06-07T08:44:43Z ERROR CA configuration failed. 2026-06-07T08:44:43Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected Results: No error. Additional Information: Even upon the start of ipa-server-install I see Error in import line from /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth: import sys, types, os;p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('ipahealthcheck',));importlib = __import__('importlib.util');__import__('importlib.machinery');m = sys.modules.setdefault('ipahealthcheck', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('ipahealthcheck', [os.path.dirname(p)])));m = m or sys.modules.setdefault('ipahealthcheck', types.ModuleType('ipahealthcheck'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) Traceback (most recent call last): File "<frozen site>", line 533, in _exec_imports File "<string>", line 1, in <module> KeyError: "local variable ''sitedir'' is not defined" /usr/lib/python3.15/site-packages/ipalib/constants.py:407: CryptographyDeprecationWarning: Single-key TripleDES (8-byte keys) is deprecated and support will be removed in a future release. Use 24-byte keys instead (e.g., key + key + key). if backend.cipher_supported(TripleDES( The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.13.1 [...] but that does not prevent the ipa-server-install from inistally running, it's only at that [1/33]: configuring certificate server instance step that it fails. Therefore, filing against freeipa for initial triage as it is possible some error handling should actually be treating the situation as a warning?
There is no such code in ipahealthcheck. It imports importlib and uses metadata from it, so it looks like there is something broken in importlib.metadata with regards to Python 3.15?
Moving to python3.15 as importlib is part of CPython. We need clear answer for Error in import line from /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth: import sys, types, os;p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('ipahealthcheck',));importlib = __import__('importlib.util');__import__('importlib.machinery');m = sys.modules.setdefault('ipahealthcheck', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('ipahealthcheck', [os.path.dirname(p)])));m = m or sys.modules.setdefault('ipahealthcheck', types.ModuleType('ipahealthcheck'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) Traceback (most recent call last): File "<frozen site>", line 533, in _exec_imports File "<string>", line 1, in <module> KeyError: "local variable ''sitedir'' is not defined" as this code does not exist in FreeIPA, FreeIPA's healthcheck, and in Dogtag PKI's Python library which uses healthcheck. It looks like it is something between importlib and pkg_resources but not something we can change on our side as nspkg.pth bits autogenerated.
See https://github.com/python/cpython/issues/149671 tl;dr the following traceback is not a fatal error: Error in import line from /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth: import sys, types, os;p = os.path.join(sys._getframe(1).f_locals['sitedir'], *('ipahealthcheck',));importlib = __import__('importlib.util');__import__('importlib.machinery');m = sys.modules.setdefault('ipahealthcheck', importlib.util.module_from_spec(importlib.machinery.PathFinder.find_spec('ipahealthcheck', [os.path.dirname(p)])));m = m or sys.modules.setdefault('ipahealthcheck', types.ModuleType('ipahealthcheck'));mp = (m or []) and m.__dict__.setdefault('__path__',[]);(p not in mp) and mp.append(p) Traceback (most recent call last): File "<frozen site>", line 533, in _exec_imports File "<string>", line 1, in <module> KeyError: "local variable ''sitedir'' is not defined" It makes logs hard to analyze, and we are working with the upstream to eliminate it. My advice is to get rid of /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth entirely as it is likely not needed. However, this should *not* cause other exceptions. Can you reproduce if you rm that nspkg.pth file?
I tried to reproduce this in a container, but it seems I actually do need a VM. Help would be appreciated with step 1 of the reproducer. What commands do I run?
OK, used https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/Fedora-Cloud-Base-Generic-Rawhide-20260608.n.0.x86_64.qcow2 virt-customize -a Fedora-Cloud-Base-Generic-Rawhide-20260608.n.0.x86_64.qcow2 --root-password password:changeme qemu-system-x86_64 -hda Fedora-Cloud-Base-Generic-Rawhide-20260608.n.0.x86_64.qcow2 -m 2G -enable-kvm -cpu host -nographic And I get: Invalid hostname 'localhost', must be fully-qualified.
You can add --hostname ipa.example.test to that virt-customize, that should setup /etc/hostname and make ipa-server-install happy. Or just edit that /etc/hostname and reboot.
OK, it seems that `rm /usr/lib/python3.15/site-packages/ipahealthcheck-0.19-py3.15-nspkg.pth` makes it work. If you need this fixed ASAP, I recommend removing that file from the freeipa-healthcheck package. If you can wait, we are trying to get rid of that behavior in Python. If you want a proper fix, perhaps try figuring out why a harmless traceback on stderr breaks something in IPA. Perhaps something is parsing the stderr and trying to read from it? No idea.
FWIW yes, the failing function parses stdout and stderr to determine whether a command executed correctly. Because something, anything, is in stderr that causes Exception to be raised. In specific cases it handles things more gracefully but falls back on a hard fail.
https://src.fedoraproject.org/rpms/python3.15/pull-request/80
Please test with python3.15-3.15.0~b2-5.fc45 -- should be fixed now.
Does the build live in some yum/dnf repo which could be easily enabled? I'd like to avoid manually listing all rpms needed by FreeIPA installation ...
> Does the build live in some yum/dnf repo which could be easily enabled? Yes. [koji45] name=koji45 baseurl=https://kojipkgs.fedoraproject.org/repos/f45-build/latest/$basearch/ enabled=1
Or do: dnf install -y --setopt=install_weak_deps=False freeipa-server freeipa-healthcheck https://kojipkgs.fedoraproject.org/packages/python3.15/3.15.0~b2/5.fc45/x86_64/python3{,-libs}-3.15.0~b2-5.fc45.x86_64.rpm
I believe adding --no-gpgchecks --repofrompath='koji45,https://kojipkgs.fedoraproject.org/repos/f45-build/latest/$basearch/' improved our FreeIPA containerization test run: https://github.com/adelton/freeipa-container/actions/runs/27837551993 However, FreeIPA currently fails in rawhide in different places due to OpenSSL rebase (https://bugzilla.redhat.com/show_bug.cgi?id=2490607) so we don't have fully green tests at the moment. Hence a tentative VERIFIED but I will retest once things settle down in rawhide in general.