Package: freeipa-server Version: 4.6.3-1 Severity: important
-- System Information: Debian Release: 9.4 APT prefers stable APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeipa-server depends on: ii 389-ds-base 1.3.7.10-1+b1 ii acl 2.2.52-3+b1 ii apache2 2.4.25-3+deb9u4 ii certmonger 0.79.5-2 ii custodia 0.5.0-3 ii fonts-font-awesome 4.7.0~dfsg-3 ii fonts-open-sans 1.11-1 ii freeipa-admintools 4.6.3-1 ii freeipa-client 4.6.3-1 ii freeipa-common 4.6.3-1 ii gssproxy 0.8.0-1 ii krb5-admin-server 1.16-2 ii krb5-kdc 1.16-2 ii krb5-kdc-ldap 1.16-2 ii krb5-otp 1.16-2 ii krb5-pkinit 1.16-2 ii ldap-utils 2.4.46+dfsg-5 ii libapache2-mod-auth-gssapi 1.6.0-1 ii libapache2-mod-lookup-identity 1.0.0-1 ii libapache2-mod-nss 1.0.14-1+b1 ii libapache2-mod-wsgi 4.5.17-1+b1 ii libc6 2.27-3 ii libcomerr2 1.44.1-2 ii libjs-dojo-core 1.11.0+dfsg-1 ii libjs-jquery 3.2.1-1 ii libk5crypto3 1.16-2 ii libkrad0 1.16-2 ii libkrb5-3 1.16-2 ii libldap-2.4-2 2.4.46+dfsg-5 ii libnspr4 2:4.19-1 ii libnss3 2:3.36.1-1 ii libnss3-tools 2:3.36.1-1 ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1 ii libssl1.1 1.1.0f-3+deb9u2 ii libsss-nss-idmap0 1.16.1-1+b1 ii libtalloc2 2.1.10-2 ii libtevent0 0.9.34-1 ii libunistring2 0.9.8-1 ii libuuid1 2.29.2-1+deb9u1 ii libverto1 0.2.4-2.1 ii ntp 1:4.2.8p11+dfsg-1 ii oddjob 0.34.3-4 ii p11-kit 0.23.10-2 ii pki-ca 10.5.5-1 ii pki-kra 10.5.5-1 ii python 2.7.13-2 ii python-dateutil 2.6.1-1 ii python-gssapi 1.4.1-1 ii python-ipaserver 4.6.3-1 ii python-ldap 3.0.0-1 ii python-systemd 234-2 ii samba-libs 2:4.7.4+dfsg-2 ii slapi-nis 0.56.1-1 ii softhsm2 2.4.0-0.1 ii systemd-sysv 238-4 Versions of packages freeipa-server recommends: ii freeipa-server-dns 4.6.3-1 freeipa-server suggests no packages. -- Configuration Files: /etc/default/ipa-dnskeysyncd changed: SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf -- no debconf information The server installation process will fail when a certificate is requested from the CA with error CA_UNREACHABLE. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [2/28]: exporting Dogtag certificate store pin [3/28]: stopping certificate server instance to update CS.cfg [4/28]: backing up CS.cfg [5/28]: disabling nonces [6/28]: set up CRL publishing [7/28]: enable PKIX certificate path discovery and validation [8/28]: starting certificate server instance [9/28]: configure certmonger for renewals [10/28]: requesting RA certificate from CA [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) ipapython.admintool: ERROR Certificate issuance failed (CA_UNREACHABLE) ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information This was for the 2nd stage of an external CA setup, but also occurs with the standard self-signed CA option. Things I've checked: * DNS: The correct zone exists, and resolves correctly when using `dig` on both the server, and my workstation. (Both the root domain name and "ipa-ca" sub-domain records.) * /etc/hosts file: The server's FQDN is listed. * pki-tomcatd service: Definitely running. * Firewall: Port 8080 and 8443 for tomcat are not blocked. (Disabled CSF+LFD completely and tried again to be sure with empty IPTABLES.) * The dogtag web UI is accessible on both ports 8080 and 8443. The installation log for PKI is as follows. 2018-05-13T09:56:23Z DEBUG Starting external process 2018-05-13T09:56:23Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpNZQfmj 2018-05-13T09:57:12Z DEBUG Process finished, return code=0 2018-05-13T09:57:12Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20180513115623.log Loading deployment configuration from /tmp/tmpNZQfmj. WARNING: The 'pki_external_ca_cert_path' in [CA] has been deprecated. Use 'pki_ca_signing_cert_path' instead. WARNING: The 'pki_external_ca_cert_chain_path' in [CA] has been deprecated. Use 'pki_cert_chain_path' instead. WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use 'pki_sslserver_nickname' instead. WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. Use 'pki_sslserver_subject_dn' instead. Installing CA into /var/lib/pki/pki-tomcat. /tmp/tmpQdpnr5/cert0.crt: <X.509 subject> Starting pki-tomcatd (via systemctl): pki-tomcatd.service. Stopping pki-tomcatd (via systemctl): pki-tomcatd.service. Starting pki-tomcatd (via systemctl): pki-tomcatd.service. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: admin Administrator's PKCS #12 file: /root/ca-agent.p12 To check the status of the subsystem: systemctl status pki-tomcatd@pki-tomcat.service To restart the subsystem: systemctl restart pki-tomcatd@pki-tomcat.service The URL for the subsystem is: https://<fqdn>:8443/ca PKI instances will be enabled upon system boot ========================================================================== 2018-05-13T09:57:12Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-simple.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-jdk14.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] Notice: Trust flag u is set automatically if the private key is present. pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! 2018-05-13T09:57:12Z DEBUG completed creating ca instance 2018-05-13T09:57:12Z DEBUG duration: 49 seconds 2018-05-13T09:57:12Z DEBUG [2/28]: exporting Dogtag certificate store pin 2018-05-13T09:57:12Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [3/28]: stopping certificate server instance to update CS.cfg 2018-05-13T09:57:12Z DEBUG Starting external process 2018-05-13T09:57:12Z DEBUG args=/bin/systemctl stop pki-tomcatd.service 2018-05-13T09:57:12Z DEBUG Process finished, return code=0 2018-05-13T09:57:12Z DEBUG stdout= 2018-05-13T09:57:12Z DEBUG stderr= 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [4/28]: backing up CS.cfg 2018-05-13T09:57:12Z DEBUG Starting external process 2018-05-13T09:57:12Z DEBUG args=/bin/systemctl is-active pki-tomcatd.service 2018-05-13T09:57:12Z DEBUG Process finished, return code=3 2018-05-13T09:57:12Z DEBUG stdout=inactive 2018-05-13T09:57:12Z DEBUG stderr= 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [5/28]: disabling nonces 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [6/28]: set up CRL publishing 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [7/28]: enable PKIX certificate path discovery and validation 2018-05-13T09:57:12Z DEBUG duration: 0 seconds 2018-05-13T09:57:12Z DEBUG [8/28]: starting certificate server instance 2018-05-13T09:57:12Z DEBUG Starting external process 2018-05-13T09:57:12Z DEBUG args=/bin/systemctl start pki-tomcatd.service 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout= 2018-05-13T09:57:18Z DEBUG stderr= 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/bin/systemctl is-active pki-tomcatd.service 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout=active 2018-05-13T09:57:18Z DEBUG stderr= 2018-05-13T09:57:18Z DEBUG duration: 5 seconds 2018-05-13T09:57:18Z DEBUG [9/28]: configure certmonger for renewals 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/bin/systemctl enable certmonger.service 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout= 2018-05-13T09:57:18Z DEBUG stderr=Synchronizing state of certmonger.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable certmonger 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/bin/systemctl start certmonger.service 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout= 2018-05-13T09:57:18Z DEBUG stderr= 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/bin/systemctl is-active certmonger.service 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout=active 2018-05-13T09:57:18Z DEBUG stderr= 2018-05-13T09:57:18Z DEBUG duration: 0 seconds 2018-05-13T09:57:18Z DEBUG [10/28]: requesting RA certificate from CA 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs -out /var/lib/ipa/tmpH6mrdU 2018-05-13T09:57:18Z DEBUG Process finished, return code=0 2018-05-13T09:57:18Z DEBUG stdout= 2018-05-13T09:57:18Z DEBUG stderr= 2018-05-13T09:57:18Z DEBUG Starting external process 2018-05-13T09:57:18Z DEBUG args=/usr/bin/openssl pkcs12 -nokeys -clcerts -in /root/ca-agent.p12 -out /var/lib/ipa/tmp3Xwfc_ -passin file:/tmp/tmp_V2wgw 2018-05-13T09:57:20Z DEBUG Process finished, return code=0 2018-05-13T09:57:20Z DEBUG stdout= 2018-05-13T09:57:20Z DEBUG stderr= 2018-05-13T09:57:20Z DEBUG Starting external process 2018-05-13T09:57:20Z DEBUG args=/usr/bin/openssl pkcs12 -nodes -nocerts -in /root/ca-agent.p12 -out /var/lib/ipa/tmpVSadnP -passin file:/tmp/tmpFcGABi 2018-05-13T09:57:21Z DEBUG Process finished, return code=0 2018-05-13T09:57:21Z DEBUG stdout= 2018-05-13T09:57:21Z DEBUG stderr= 2018-05-13T09:57:22Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) 2018-05-13T09:57:27Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2018-05-13T09:57:27Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 506, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 496, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 900, in __request_ra_certificate storage="FILE") File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-05-13T09:57:27Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-05-13T09:57:27Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run cfgr.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run self.execute() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 388, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 654, in _configure next(executor) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 517, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 514, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 66, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 583, in main master_install(self) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 250, in decorated func(installer) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 807, in install ca.install_step_0(False, None, options) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ca.py", line 308, in install_step_0 use_ldaps=standalone) File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 465, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 506, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 496, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 900, in __request_ra_certificate storage="FILE") File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) 2018-05-13T09:57:27Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-05-13T09:57:27Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-05-13T09:57:27Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The only other error I see in that is about "crypto.fips_enabled", but that doesn't appear to block the PKI spawning. Looking into this further I found on Red Hat and Fedora that they had an issue whereby the cURL used was built against OpenSSL instead of NSS, which could be related. [https://bugzilla.redhat.com/show_bug.cgi?id=1455561] The output of `curl -V` for this Debian server is: curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2l zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3 They did however fix this issue for FreeIPA 4.6, but that probably wouldn't include Debian's build. Please let me know if you require any further information.