[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
@ahasenack When you said "Uploaded to bionic unapproved", did you mean 1:9.11.3+dfsg-1ubuntu1.3? -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Invalid Status in bind9 source package in Bionic: In Progress Bug description: [Impact] Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND. https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b [Test Case] # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily # uvt-kvm wait cosmic-freeipa # uvt-kvm ssh cosmic-freeipa Inside vm: # sudo su # apt purge -y cloud-init # echo "cosmic-freeipa.example.com" >/etc/hostname # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts # apt update # apt dist-upgrade -y # reboot # apt install -y freeipa-server * Default Kerberos realm: EXAMPLE.COM * Kerberos servers: cosmic-freeipa.example.com * Administrative server: cosmic-freeipa.example.com Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder # ip addr # ipa-server-install --allow-zone-overlap * Do you want to configure integrated DNS (BIND): YES * Server host name: cosmic-freeipa.example.com * Please confirm the domain name: example.com * Please provide a realm name: EXAMPLE.COM * Directory Manager password: (anything) * IPA admin password: (anything) * Do you want to configure DNS forwarders: yes * Do you want to configure these servers as DNS forwarders?: no * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) * Do you want to search for missing reverse zones?: yes Installation should fail. [Regression Potential] In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries. [Original Description] Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions ___ Mailing
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Since not everyone knows about the staging PPA (I just found it), the PPA can be found here: https://launchpad.net/~freeipa/+archive/ubuntu/staging With the PPA (4.7.0~pre2-0~ppa3) the installation completes without a problem. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Side note for Timo. There is no tag in the git repo for debian/4.7.0~pre1+git20180411-2 (commit fb666595) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Sorry for the duplicate in https://bugs.launchpad.net/bugs/1791325. I should have paid more attention. Anyway, there is a fix, what's holding it up? Right now FreeIPA server is useless in 18.04 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc
There was a discussion on the freeipa users list and Alexander Bokovoy was kind enough to explain what was happening. "We need access to the KDC's public certificate in case we are dealing with a KDC certificate issued by a local certmonger (self-signed) which is not trusted by the machine. You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for details. A short version is: When you install 4.5 with --no-pkinit, the installer will generate self-signed certificate for PKINIT. This certificate is only used and trusted by IPA Web UI running on the same server to obtain an anonymous ticket. That anonymous PKINIT is required right now to enable two-factor authentication login to web UI because since FreeIPA 4.5 we cannot use HTTP service keytab anymore: FreeIPA framework lost access to the keytab due to privilege separation work we did (read https://vda.li/en/docs/freeipa-debug-privsep/ for details) Since your KDC PKINIT certificate might be issued by a local self-signed certmonger 'CA' in case you are not using integrated FreeIPA CA, we have to be able to trust *that* public KDC certificate when running 'kinit -n', thus we need access to it. " He also suggested that this should be changed in Ubuntu. If the directory /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve this issue. The directory /var/lib/krb5kdc is part of the package krb5-kdc. ** Also affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1791325 Title: freeipa server needs read access /var/lib/krb5kdc Status in freeipa package in Ubuntu: New Status in krb5 package in Ubuntu: New Bug description: After installing freeipa-server you cannot login via the browser. You'll get a message: "Login failed due to an unknown reason." In /var/log/apache2/error.log there is this: -8X-8X-- [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest...@ijtest.nl: schema(version=u'2.170'): SUCCESS [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ping(): SUCCESS [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ca_is_enabled(version=u'2.107'): SUCCESS [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last): [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, start_response) [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return app(environ,
[Freeipa] [Bug 1791325] [NEW] freeipa server needs read access /var/lib/krb5kdc
Public bug reported: After installing freeipa-server you cannot login via the browser. You'll get a message: "Login failed due to an unknown reason." In /var/log/apache2/error.log there is this: -8X-8X-- [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest...@ijtest.nl: schema(version=u'2.170'): SUCCESS [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ping(): SUCCESS [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ca_is_enabled(version=u'2.107'): SUCCESS [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last): [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, start_response) [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return app(environ, start_response) [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__ [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] self.kinit(user_principal, password, ipa_ccache_name) [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] p.returncode, arg_string, output_log, error_log [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Installing libdns-export1100-dbgsym libdns1100-dbgsym libisc-export169-dbgsym helped. I now have debug symbols in view.c -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: New Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
No symbol info for the library :-( -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: New Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
@Timo what is the named command that you used to debug? I can't get named to produce the same error (at view.c:962) when I run it as follows (this is the command I found in the log): /usr/sbin/named-pkcs11 -f -u bind or /usr/sbin/named-pkcs11 -g -u bind It crashes at: 08-May-2018 07:07:41.154 ../../../lib/isc-pkcs11/md5.c:93: fatal error: 08-May-2018 07:07:41.154 RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 0) == 0) failed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: New Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
When you said: "yep, that's a known issue" you referred to the non-FQDN. But the above error is after I corrected that. So, with a FQDN. BTW, I'm doing the install with --setup-dns. Is that what you do as well? At the end of the installation the nameserver (bind9-pkcs11) does not start anymore. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: New Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
To confirm, with the PPA the installation continues, and "Configuring certificate server" succeeds. However, now "Configuring the web interface" fails with [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is this: 2018-05-04T07:48:09Z DEBUG [12/21]: setting up ssl 2018-05-04T07:48:13Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-04T07:48:18Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-04T07:48:22Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1768865] [NEW] freeipa server installation fails on Bionic due to tomcat conflict
Public bug reported: Installing freeipa server fails at configuring certificate server (pki- tomcatd). ... Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 300s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are a bunch of java.io.FileNotFoundException root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) This have been discussed on the FreeIPA users list, and the conclusion was: "If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA. We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7. I guess currently you aren't going to get any luck with Ubuntu/Debian builds." ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1768865 Title: freeipa server installation fails on Bionic due to tomcat conflict Status in freeipa package in Ubuntu: New Bug description: Installing freeipa server fails at configuring certificate server (pki-tomcatd). ... Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 300s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are a bunch of java.io.FileNotFoundException root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) This have been discussed on the FreeIPA users list, and the conclusion was: "If
[Freeipa] [Bug 1653245] [NEW] python-ipalib is missing authconfig
Public bug reported: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1653245 Title: python-ipalib is missing authconfig Status in freeipa package in Ubuntu: New Bug description: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1653245/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp