[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Right... it was a race condition. Also, increasing the number of CPU and amount of memory in my virtual machine solved the problem. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
the restarts are caused by certmonger requests.. I've added a (very gross) 'sleep 80' to that stage which at least made it pass reliably on my qemu host, but looks like that's not enough. I'll ask upstream why it creates so many requests these days.. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
ipa-server-install still fails for me during step "[24/28]: migrating certificate profiles to LDAP". It gives me the following error: NetworkError: cannot connect to 'https://ipa.labeconomnia.unich.it:8443/ca/rest/account/login': [Errno 111] Connection refused The problem is that, when this error happens, there is no process listening on port 8843 (checked with netstat -tnlp). During previous steps, a java process (Tomcat?) is listening on port 8843, but it periodically goes down and up. Some of these restarts seems triggered by ipa-server-install, but other seems gratuitous. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
dogtag-pki server now runs on bionic using 8.5.30-1ubuntu1.2 from the ppa. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp