[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
@ahasenack When you said "Uploaded to bionic unapproved", did you mean
1:9.11.3+dfsg-1ubuntu1.3?
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - named-pkcs11 fails to run
Status in bind9 package in Ubuntu:
Fix Released
Status in freeipa package in Ubuntu:
Invalid
Status in bind9 source package in Bionic:
In Progress
Bug description:
[Impact]
Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.
This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b
[Test Case]
# uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
# uvt-kvm wait cosmic-freeipa
# uvt-kvm ssh cosmic-freeipa
Inside vm:
# sudo su
# apt purge -y cloud-init
# echo "cosmic-freeipa.example.com" >/etc/hostname
# sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
# echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut
-f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts
# apt update
# apt dist-upgrade -y
# reboot
# apt install -y freeipa-server
* Default Kerberos realm: EXAMPLE.COM
* Kerberos servers: cosmic-freeipa.example.com
* Administrative server: cosmic-freeipa.example.com
Get machine's ip address. You'll be using the x.x.x.1 address for the DNS
forwarder
# ip addr
# ipa-server-install --allow-zone-overlap
* Do you want to configure integrated DNS (BIND): YES
* Server host name: cosmic-freeipa.example.com
* Please confirm the domain name: example.com
* Please provide a realm name: EXAMPLE.COM
* Directory Manager password: (anything)
* IPA admin password: (anything)
* Do you want to configure DNS forwarders: yes
* Do you want to configure these servers as DNS forwarders?: no
* Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1
address from before)
* Do you want to search for missing reverse zones?: yes
Installation should fail.
[Regression Potential]
In theory, if another library with the exact same symbol is loaded,
bind9 may end up calling the wrong function. This is, however, a
potential problem with any program that loads shared libraries.
[Original Description]
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
___
Mailing
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Since not everyone knows about the staging PPA (I just found it), the PPA can be found here: https://launchpad.net/~freeipa/+archive/ubuntu/staging With the PPA (4.7.0~pre2-0~ppa3) the installation completes without a problem. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Side note for Timo. There is no tag in the git repo for debian/4.7.0~pre1+git20180411-2 (commit fb666595) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
Sorry for the duplicate in https://bugs.launchpad.net/bugs/1791325. I should have paid more attention. Anyway, there is a fix, what's holding it up? Right now FreeIPA server is useless in 18.04 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: In Progress Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc
There was a discussion on the freeipa users list and Alexander Bokovoy was kind enough to explain what was happening. "We need access to the KDC's public certificate in case we are dealing with a KDC certificate issued by a local certmonger (self-signed) which is not trusted by the machine. You can read https://www.freeipa.org/page/V4/Kerberos_PKINIT for details. A short version is: When you install 4.5 with --no-pkinit, the installer will generate self-signed certificate for PKINIT. This certificate is only used and trusted by IPA Web UI running on the same server to obtain an anonymous ticket. That anonymous PKINIT is required right now to enable two-factor authentication login to web UI because since FreeIPA 4.5 we cannot use HTTP service keytab anymore: FreeIPA framework lost access to the keytab due to privilege separation work we did (read https://vda.li/en/docs/freeipa-debug-privsep/ for details) Since your KDC PKINIT certificate might be issued by a local self-signed certmonger 'CA' in case you are not using integrated FreeIPA CA, we have to be able to trust *that* public KDC certificate when running 'kinit -n', thus we need access to it. " He also suggested that this should be changed in Ubuntu. If the directory /var/lib/krb5kdc becomes readable (perhaps chmod 711) then it would solve this issue. The directory /var/lib/krb5kdc is part of the package krb5-kdc. ** Also affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1791325 Title: freeipa server needs read access /var/lib/krb5kdc Status in freeipa package in Ubuntu: New Status in krb5 package in Ubuntu: New Bug description: After installing freeipa-server you cannot login via the browser. You'll get a message: "Login failed due to an unknown reason." In /var/log/apache2/error.log there is this: -8X-8X-- [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest...@ijtest.nl: schema(version=u'2.170'): SUCCESS [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ping(): SUCCESS [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ca_is_enabled(version=u'2.107'): SUCCESS [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last): [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, start_response) [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return app(environ,
[Freeipa] [Bug 1791325] [NEW] freeipa server needs read access /var/lib/krb5kdc
Public bug reported: After installing freeipa-server you cannot login via the browser. You'll get a message: "Login failed due to an unknown reason." In /var/log/apache2/error.log there is this: -8X-8X-- [Thu Sep 06 12:00:28.720410 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38596] ipa: INFO: [jsonserver_kerb] host/usrv1.ijtest...@ijtest.nl: schema(version=u'2.170'): SUCCESS [Thu Sep 06 12:01:00.010427 2018] [:warn] [pid 6140:tid 140076243191552] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.099271 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ping(): SUCCESS [Thu Sep 06 12:01:00.101695 2018] [:warn] [pid 6140:tid 140076130498304] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:00.273013 2018] [wsgi:error] [pid 6137:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: ca_is_enabled(version=u'2.107'): SUCCESS [Thu Sep 06 12:01:02.805635 2018] [:warn] [pid 6140:tid 140076234798848] [client 10.83.0.11:38608] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~usrv1.ijtest...@ijtest.nl)!, referer: https://usrv1.ijtest.nl/ipa/xml [Thu Sep 06 12:01:02.999541 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 10.83.0.11:38608] ipa: INFO: [jsonserver_session] host/usrv1.ijtest...@ijtest.nl: host_mod(u'usrv1.ijtest.nl', ipasshpubkey=(), updatedns=False, version=u'2.26'): EmptyModlist [Thu Sep 06 13:02:22.125841 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] mod_wsgi (pid=6138): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Sep 06 13:02:22.125877 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] Traceback (most recent call last): [Thu Sep 06 13:02:22.125898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/share/ipa/wsgi.py", line 57, in application [Thu Sep 06 13:02:22.125961 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Sep 06 13:02:22.125972 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 265, in __call__ [Thu Sep 06 13:02:22.128833 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return self.route(environ, start_response) [Thu Sep 06 13:02:22.128846 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 277, in route [Thu Sep 06 13:02:22.128860 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] return app(environ, start_response) [Thu Sep 06 13:02:22.128872 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 935, in __call__ [Thu Sep 06 13:02:22.128881 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] self.kinit(user_principal, password, ipa_ccache_name) [Thu Sep 06 13:02:22.128886 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 971, in kinit [Thu Sep 06 13:02:22.128892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], [Thu Sep 06 13:02:22.128898 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipalib/install/kinit.py", line 125, in kinit_armor [Thu Sep 06 13:02:22.133878 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] run(args, env=env, raiseonerr=True, capture_error=True) [Thu Sep 06 13:02:22.133892 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 572, in run [Thu Sep 06 13:02:22.138435 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] p.returncode, arg_string, output_log, error_log [Thu Sep 06 13:02:22.138488 2018] [wsgi:error] [pid 6138:tid 140075658061568] [remote 172.16.16.30:38014] CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/var/run/ipa/ccaches/armor_6138', '-X', 'X509_anchors=FILE:/var/lib/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Installing libdns-export1100-dbgsym libdns1100-dbgsym libisc-export169-dbgsym
helped. I now have debug symbols in view.c
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
No symbol info for the library :-(
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
@Timo what is the named command that you used to debug? I can't get named
to produce the same error (at view.c:962) when I run it as follows (this
is the command I found in the log):
/usr/sbin/named-pkcs11 -f -u bind
or
/usr/sbin/named-pkcs11 -g -u bind
It crashes at:
08-May-2018 07:07:41.154 ../../../lib/isc-pkcs11/md5.c:93: fatal error:
08-May-2018 07:07:41.154 RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 0) == 0)
failed
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
When you said: "yep, that's a known issue" you referred to the non-FQDN. But
the above
error is after I corrected that. So, with a FQDN.
BTW, I'm doing the install with --setup-dns. Is that what you do as well?
At the end of the installation the nameserver (bind9-pkcs11) does not start
anymore.
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
To confirm, with the PPA the installation continues, and "Configuring
certificate server" succeeds.
However, now "Configuring the web interface" fails with
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is this:
2018-05-04T07:48:09Z DEBUG [12/21]: setting up ssl
2018-05-04T07:48:13Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-04T07:48:18Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-04T07:48:22Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616
Title:
freeipa server install fails - RuntimeError: CA configuration failed.
Status in freeipa package in Ubuntu:
Invalid
Status in tomcat8 package in Ubuntu:
In Progress
Status in freeipa source package in Bionic:
Invalid
Status in tomcat8 source package in Bionic:
Confirmed
Status in tomcat8 package in Debian:
New
Bug description:
[Impact]
The issue occurs while installing IPA server. More specifically whist
configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 60s\npkispawn: ERROR
... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERRORCA configuration failed.
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
The cause for this is that tomcat8 is built with JDK9 and is not
compatible with instances that have to use JRE8 for other reasons.
[Test Case]
Install freeipa-server, run ipa-server-install.
[Regression Potential]
The fix is a fairly big patch for tomcat8 to modify the code so that
it runs with JRE8. It passes the upstream test suite though, when run
with JRE8 though tomcat itself was built with the default JDK.
[Other info]
Patch will be sent upstream too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1768865] [NEW] freeipa server installation fails on Bionic due to tomcat conflict
Public bug reported: Installing freeipa server fails at configuring certificate server (pki- tomcatd). ... Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 300s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are a bunch of java.io.FileNotFoundException root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) This have been discussed on the FreeIPA users list, and the conclusion was: "If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA. We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7. I guess currently you aren't going to get any luck with Ubuntu/Debian builds." ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1768865 Title: freeipa server installation fails on Bionic due to tomcat conflict Status in freeipa package in Ubuntu: New Bug description: Installing freeipa server fails at configuring certificate server (pki-tomcatd). ... Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 300s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are a bunch of java.io.FileNotFoundException root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) This have been discussed on the FreeIPA users list, and the conclusion was: "If
[Freeipa] [Bug 1653245] [NEW] python-ipalib is missing authconfig
Public bug reported: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1653245 Title: python-ipalib is missing authconfig Status in freeipa package in Ubuntu: New Bug description: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1653245/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
