Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > installing a new ca replica in an LXC container failed with > > [root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca > /var/lib/ipa/replica-info-ipa5.example.de.gpg > Directory Manager (existing master) password: > > Run connection check to master > [email protected] password: > Connection check OK > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/41]: creating directory server instance > [2/41]: enabling ldapi > [3/41]: configure autobind for root > : > : > Installation failed: > com.netscape.certsrv.base.PKIException: Error in populating database: > java.io.IOException: Failed to setup the replication for cloning. > > Please check the CA logs in /var/log/pki/pki-tomcat/ca. > > 2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... > subprocess.CalledProcessError: Command '['sysctl', > 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! > > 2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit > status 1 > 2019-07-17T10:57:43Z CRITICAL See the installation logs and the > following files/directories for more information: > 2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat > 2019-07-17T10:57:43Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 570, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 560, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 660, in __spawn_instance > pki_pin) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 166, in spawn_instance > self.handle_setup_error(e) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 406, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > > > [root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn > sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or > directory > > sysctl returns the same error on the host. > > This crypto.fips_enabled appears to be something optional, so I wonder if > I could tell ipa-replica-install in advance? > > > The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2. > The client is CentOS 7, ipa 4.6.4-10
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+ according to git tag. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
