To confirm, with the PPA the installation continues, and "Configuring
certificate server" succeeds.
However, now "Configuring the web interface" fails with
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is this:
2018-05-04T07:48:09Z DEBUG [12/21]: setting up ssl
2018-05-04T07:48:13Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-04T07:48:18Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-04T07:48:22Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616
Title:
freeipa server install fails - RuntimeError: CA configuration failed.
Status in freeipa package in Ubuntu:
Invalid
Status in tomcat8 package in Ubuntu:
In Progress
Status in freeipa source package in Bionic:
Invalid
Status in tomcat8 source package in Bionic:
Confirmed
Status in tomcat8 package in Debian:
New
Bug description:
[Impact]
The issue occurs while installing IPA server. More specifically whist
configuring pki-tomcatd. The following error is produced.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR
....... subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR ........... server did not start after 60s\npkispawn : ERROR
....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
The cause for this is that tomcat8 is built with JDK9 and is not
compatible with instances that have to use JRE8 for other reasons.
[Test Case]
Install freeipa-server, run ipa-server-install.
[Regression Potential]
The fix is a fairly big patch for tomcat8 to modify the code so that
it runs with JRE8. It passes the upstream test suite though, when run
with JRE8 though tomcat itself was built with the default JDK.
[Other info]
Patch will be sent upstream too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
