The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
Codename: bionic
$ sudo dpkg -l | grep freeipa
ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- client
ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files
ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- server
ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration
$ sudo dpkg -l | grep dogtag
ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite
ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface
ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface
TO REPRODUCE:
1. install freeipa-server and freeipa-server-dns
2. the following installation options (note I have changed confidential details).
1. The above error is produced.
2. the pkispawn logs show it waiting for the server and timing out.
2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
2018-04-20 05:30:26 pkispawn : INFO ........... checking https://example.com:8443/ca
2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s)
2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s)
2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s)
2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s)
2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s)
...
2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s)
2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s)
2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s)
2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s)
2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s
2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main scriptlet.spawn(deployer)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
raise Exception("server failed to restart")
3. Tomcat services appear to be running
systemctl -l status pki-tomcatd
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
Docs: man:systemd-sysv-generator(8)
Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
Tasks: 98 (limit: 4915)
CGroup: /system.slice/pki-tomcatd.service
└─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.
4. Trying to curl to ca endpoint results in no response error
curl -k -v https://example.com:8443/ca
* Trying 10.5.8.88...
* TCP_NODELAY set
* Connected to example.com (10.5.8.88) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
DESCRIPTION
The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes install. dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessEr ror(Command ['/usr/ sbin/pkispawn' , '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess. CalledProcessEr ror: Command '['sysctl', 'crypto. fips_enabled' , '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") install. dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: install. dogtaginstance: CRITICAL /var/log/ pki/pki- tomcat admintool: ERROR CA configuration failed. admintool: ERROR The ipa-server-install command failed. See /var/log/ ipaserver- install. log for more information
[1/28]: configuring certificate server instance
ipaserver.
ipaserver.
ipaserver.
[error] RuntimeError: CA configuration failed.
ipapython.
ipapython.
ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:
https:/ /pagure. io/dogtagpki/ issue/2973 /pagure. io/freeipa/ issue/7464
https:/
SYSTEM INFORMATION:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
Codename: bionic
$ sudo dpkg -l | grep freeipa git20180411- 2ubuntu1 amd64 FreeIPA centralized identity framework -- client git20180411- 2ubuntu1 all FreeIPA centralized identity framework -- common files git20180411- 2ubuntu1 amd64 FreeIPA centralized identity framework -- server git20180411- 2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration
ii freeipa-client 4.7.0~pre1+
ii freeipa-common 4.7.0~pre1+
ii freeipa-server 4.7.0~pre1+
ii freeipa-server-dns 4.7.0~pre1+
$ sudo dpkg -l | grep dogtag pki-console- theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface pki-server- theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface
ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite
ii dogtag-
ii dogtag-
TO REPRODUCE:
1. install freeipa-server and freeipa-server-dns
2. the following installation options (note I have changed confidential details).
sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p XXXXXXX --mkhomedir --hostname= example. domain. com --ca-signing- algorithm= SHA512withRSA --subject= "OU=Office of Funny Walks,O=Monty Python, L=London, ST=Greater London,C=UK" --unattended --no-ntp
RESULTS
1. The above error is produced.
2. the pkispawn logs show it waiting for the server and timing out.
2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init. d/pki-tomcatd start pki-tomcat' /example. com:8443/ ca
2018-04-20 05:30:26 pkispawn : INFO ........... checking https:/
2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s)
2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s)
2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s)
2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s)
2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s)
...
2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s) python2. 7/dist- packages/ pki/server/ pkispawn. py", line 534, in main
scriptlet. spawn(deployer) python2. 7/dist- packages/ pki/server/ deployment/ scriptlets/ configuration. py", line 1022, in spawn
2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s)
2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s)
2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s)
2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s
2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception
2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart
2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/
File "/usr/lib/
raise Exception("server failed to restart")
3. Tomcat services appear to be running
systemctl -l status pki-tomcatd d/pki-tomcatd; generated) sysv-generator( 8) /etc/init. d/pki-tomcatd start (code=exited, status=0/SUCCESS) slice/pki- tomcatd. service pki/java- home/bin/ java -Djava. util.logging. config. file=/var/ lib/pki/ pki-tomcat/ conf/logging. properties -Djava. util.logging. manager= org.apache. juli.ClassLoade rLogManager -DRESTEASY_ LIB=/usr/ share/java/ -Djava.
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
Loaded: loaded (/etc/init.
Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
Docs: man:systemd-
Process: 23764 ExecStart=
Tasks: 98 (limit: 4915)
CGroup: /system.
└─23951 /usr/share/
4. Trying to curl to ca endpoint results in no response error
curl -k -v https:/ /example. com:8443/ ca certs/ca- certificates. crt
* Trying 10.5.8.88...
* TCP_NODELAY set
* Connected to example.com (10.5.8.88) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443