| 2018-04-20 07:18:32 |
Juan Tobon |
bug |
|
|
added bug |
| 2018-04-20 08:42:41 |
Timo Aaltonen |
freeipa (Ubuntu): status |
New |
Incomplete |
|
| 2018-04-23 14:56:20 |
Timo Aaltonen |
bug task added |
|
tomcat8 (Ubuntu) |
|
| 2018-04-27 13:20:44 |
Timo Aaltonen |
freeipa (Ubuntu): status |
Incomplete |
Invalid |
|
| 2018-05-03 17:33:22 |
Timo Aaltonen |
tomcat8 (Ubuntu): importance |
Undecided |
Critical |
|
| 2018-05-03 17:33:22 |
Timo Aaltonen |
tomcat8 (Ubuntu): status |
New |
In Progress |
|
| 2018-05-03 17:33:22 |
Timo Aaltonen |
tomcat8 (Ubuntu): assignee |
|
Timo Aaltonen (tjaalton) |
|
| 2018-05-03 17:33:38 |
Timo Aaltonen |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-05-03 17:33:38 |
Timo Aaltonen |
bug task added |
|
freeipa (Ubuntu Bionic) |
|
| 2018-05-03 17:33:38 |
Timo Aaltonen |
bug task added |
|
tomcat8 (Ubuntu Bionic) |
|
| 2018-05-03 17:36:48 |
Launchpad Janitor |
freeipa (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2018-05-03 17:36:48 |
Launchpad Janitor |
tomcat8 (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2018-05-03 17:41:54 |
Timo Aaltonen |
freeipa (Ubuntu Bionic): status |
Confirmed |
Invalid |
|
| 2018-05-03 17:47:48 |
Timo Aaltonen |
description |
DESCRIPTION
The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:
https://pagure.io/dogtagpki/issue/2973
https://pagure.io/freeipa/issue/7464
SYSTEM INFORMATION:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
Codename: bionic
$ sudo dpkg -l | grep freeipa
ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- client
ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files
ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- server
ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration
$ sudo dpkg -l | grep dogtag
ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite
ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface
ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface
TO REPRODUCE:
1. install freeipa-server and freeipa-server-dns
2. the following installation options (note I have changed confidential details).
sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp
RESULTS
1. The above error is produced.
2. the pkispawn logs show it waiting for the server and timing out.
2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
2018-04-20 05:30:26 pkispawn : INFO ........... checking https://example.com:8443/ca
2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s)
2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s)
2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s)
2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s)
2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s)
...
2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s)
2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s)
2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s)
2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s)
2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s
2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
raise Exception("server failed to restart")
3. Tomcat services appear to be running
systemctl -l status pki-tomcatd
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
Docs: man:systemd-sysv-generator(8)
Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
Tasks: 98 (limit: 4915)
CGroup: /system.slice/pki-tomcatd.service
└─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.
4. Trying to curl to ca endpoint results in no response error
curl -k -v https://example.com:8443/ca
* Trying 10.5.8.88...
* TCP_NODELAY set
* Connected to example.com (10.5.8.88) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443 |
[Impact]
The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons.
[Test Case]
Install freeipa-server, run ipa-server-install.
[Regression Potential]
The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK.
[Other info]
Patch will be sent upstream too. |
|
| 2018-05-03 17:57:20 |
Timo Aaltonen |
tomcat8 (Ubuntu Bionic): importance |
Undecided |
Critical |
|
| 2018-05-03 17:58:28 |
Timo Aaltonen |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895866 |
|
| 2018-05-03 17:58:28 |
Timo Aaltonen |
bug task added |
|
tomcat8 (Debian) |
|
| 2018-05-03 22:04:40 |
Bug Watch Updater |
tomcat8 (Debian): status |
Unknown |
New |
|
| 2018-05-04 06:34:28 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
| 2018-05-04 11:40:29 |
Sebastian |
bug |
|
|
added subscriber Sebastian |
| 2018-05-05 04:29:29 |
Jared Szechy |
bug |
|
|
added subscriber Jared Szechy |
| 2018-05-07 13:28:33 |
Launchpad Janitor |
tomcat8 (Ubuntu): status |
In Progress |
Fix Released |
|
| 2018-05-08 16:47:21 |
Timo Aaltonen |
summary |
freeipa server install fails - RuntimeError: CA configuration failed. |
tomcat more or less broken -- java compat issues |
|
| 2018-05-08 16:47:28 |
Timo Aaltonen |
bug task deleted |
freeipa (Ubuntu Bionic) |
|
|
| 2018-05-08 16:47:36 |
Timo Aaltonen |
bug task deleted |
freeipa (Ubuntu) |
|
|
| 2018-05-10 08:09:37 |
Hans Joachim Desserud |
tags |
|
bionic cosmic |
|
| 2018-05-23 18:02:34 |
Samson Chung |
bug |
|
|
added subscriber Samson Chung |
| 2018-05-25 11:51:14 |
Teluka |
bug |
|
|
added subscriber Mateusz Pawlowski |
| 2018-05-28 18:27:24 |
Łukasz Zemczak |
tomcat8 (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
| 2018-05-28 18:27:27 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-05-28 18:27:29 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2018-05-28 18:27:34 |
Łukasz Zemczak |
tags |
bionic cosmic |
bionic cosmic verification-needed verification-needed-bionic |
|
| 2018-05-29 15:02:53 |
Jared Szechy |
tags |
bionic cosmic verification-needed verification-needed-bionic |
bionic cosmic verification-done-bionic verification-needed |
|
| 2018-06-05 07:58:36 |
Rüdiger Kuhlmann |
bug |
|
|
added subscriber Rüdiger Kuhlmann |
| 2018-06-05 07:59:03 |
Rüdiger Kuhlmann |
tomcat8 (Ubuntu Bionic): status |
Fix Committed |
Confirmed |
|
| 2018-06-05 08:00:22 |
Rüdiger Kuhlmann |
tomcat8 (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
| 2018-06-13 10:37:44 |
Timo Aaltonen |
tags |
bionic cosmic verification-done-bionic verification-needed |
bionic cosmic verification-done verification-done-bionic |
|
| 2018-06-15 12:35:44 |
Bug Watch Updater |
tomcat8 (Debian): status |
New |
Fix Released |
|
| 2018-07-05 22:55:13 |
Stefano Rivera |
tomcat8 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-04-10 17:04:05 |
Łukasz Zemczak |
tomcat8 (Ubuntu Bionic): status |
Fix Released |
Fix Committed |
|
| 2019-04-10 17:04:15 |
Łukasz Zemczak |
tags |
bionic cosmic verification-done verification-done-bionic |
bionic cosmic verification-needed verification-needed-bionic |
|
| 2019-04-16 16:31:03 |
Launchpad Janitor |
tomcat8 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-04-16 16:31:03 |
Launchpad Janitor |
cve linked |
|
2018-8014 |
|
