On to, 03 touko 2018, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5']
returned non-zero exit status 1: u"pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']'
returned non-zero exit status 255!\npkispawn : ERROR ........... server did not
start after 60s\npkispawn : ERROR ....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the
following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn
On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
That should not matter, because none of my Ubuntu systems (16.04 and 18.04)
have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py
When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled
or even /proc/sys/crypto
it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be
used in pkihelper.py ?
As a workaround I applied this patch
--- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000
+++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000
@@ -2304,11 +2304,10 @@
extra=config.PKI_INDENTATION_LEVEL_3)
return False
except subprocess.CalledProcessError as exc:
- config.pki_log.error(
- log.PKI_SUBPROCESS_ERROR_1, exc,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure:
- raise
+ config.pki_log.info(
+ log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ return False
except OSError as exc:
config.pki_log.error(
log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat
version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR
........... server did not start after 60s\npkispawn : ERROR .......
server failed to restart\n')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the
following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException
/var/log/pki/pki-tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No
such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno*
-rw-r--r-- 1 root root 12389 Apr 19 11:53
/usr/share/java/tomcat8-annotations-api-8.5.30.jar
lrwxrwxrwx 1 root root 34 Apr 19 11:53
/usr/share/java/tomcat8-annotations-api.jar ->
tomcat8-annotations-api-8.5.30.jar
root@usrv1:~# ls -l /usr/share/java/el-api*
-rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar
root@usrv1:~# ls -l /usr/share/java/oscach*
ls: cannot access '/usr/share/java/oscach*': No such file or directory
If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with
the current release of FreeIPA.
We have been working on FreeIPA 4.7 for about a half a year now and only
recently dogtag got support for tomcat 8.5. There are still bits and
pieces which being fixed in dogtag to support FreeIPA 4.7.
I guess currently you aren't going to get any luck with Ubuntu/Debian
builds.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
