Ubuntu
tomcat8 package

  1. Bug #1765616
  2. Comment #0

Comment 0 for bug 1765616

Revision history for this message
Juan Tobon (juantobon78) wrote : freeipa server install fails - RuntimeError: CA configuration failed.

DESCRIPTION

The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced.

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
      [1/28]: configuring certificate server instance
    ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n")
    ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
    ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
      [error] RuntimeError: CA configuration failed.
    ipapython.admintool: ERROR CA configuration failed.
    ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN:

    https://pagure.io/dogtagpki/issue/2973
    https://pagure.io/freeipa/issue/7464

SYSTEM INFORMATION:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
Codename: bionic

$ sudo dpkg -l | grep freeipa
    ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- client
    ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files
    ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- server
    ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration

$ sudo dpkg -l | grep dogtag
    ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite
    ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface
    ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface

TO REPRODUCE:

1. install freeipa-server and freeipa-server-dns
2. the following installation options (note I have changed confidential details).

sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing-algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp

RESULTS

1. The above error is produced.
2. the pkispawn logs show it waiting for the server and timing out.

   2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
    2018-04-20 05:30:26 pkispawn : INFO ........... checking https://example.com:8443/ca
    2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s)
    2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s)
    2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s)
    2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s)
    2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s)

...

    2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s)
    2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s)
    2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s)
    2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s)
    2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s
    2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart
    2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception
    2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart
    2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main
        scriptlet.spawn(deployer)
      File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn
        raise Exception("server failed to restart")

3. Tomcat services appear to be running

systemctl -l status pki-tomcatd
● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
   Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
   Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS)
    Tasks: 98 (limit: 4915)
   CGroup: /system.slice/pki-tomcatd.service
           └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.

4. Trying to curl to ca endpoint results in no response error

curl -k -v https://example.com:8443/ca
* Trying 10.5.8.88...
* TCP_NODELAY set
* Connected to example.com (10.5.8.88) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443