[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Timo, thanks a lot for clarification. Maybe you should change the subject of this bug to "Tomcat mostly broken on bionic" to get some more attention ;) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
..waiting on the queue, not in proposed yet -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
no, a task for bionic is open and a version still waiting in proposed, it just needs to be fixed in the devel series first -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu2 --- tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616) -- Timo AaltonenTue, 24 Apr 2018 23:47:45 +0300 ** Changed in: tomcat8 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Right... it was a race condition. Also, increasing the number of CPU and amount of memory in my virtual machine solved the problem. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
the restarts are caused by certmonger requests.. I've added a (very gross) 'sleep 80' to that stage which at least made it pass reliably on my qemu host, but looks like that's not enough. I'll ask upstream why it creates so many requests these days.. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
ipa-server-install still fails for me during step "[24/28]: migrating certificate profiles to LDAP". It gives me the following error: NetworkError: cannot connect to 'https://ipa.labeconomnia.unich.it:8443/ca/rest/account/login': [Errno 111] Connection refused The problem is that, when this error happens, there is no process listening on port 8843 (checked with netstat -tnlp). During previous steps, a java process (Tomcat?) is listening on port 8843, but it periodically goes down and up. Some of these restarts seems triggered by ipa-server-install, but other seems gratuitous. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
dogtag-pki server now runs on bionic using 8.5.30-1ubuntu1.2 from the ppa. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
To confirm, with the PPA the installation continues, and "Configuring certificate server" succeeds. However, now "Configuring the web interface" fails with [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is this: 2018-05-04T07:48:09Z DEBUG [12/21]: setting up ssl 2018-05-04T07:48:13Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-04T07:48:18Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-04T07:48:22Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Changed in: tomcat8 (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
I've uploaded a new tomcat8 (8.5.30-1ubuntu1.2) to ppa:freeipa/ppa https://launchpad.net/~freeipa/+archive/ubuntu/ppa -1ubuntu1.1 has an incomplete patch and doesn't work properly ** Changed in: tomcat8 (Ubuntu Bionic) Importance: Undecided => Critical ** Bug watch added: Debian Bug tracker #895866 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895866 ** Also affects: tomcat8 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895866 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: Unknown Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Description changed: - DESCRIPTION + [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes - [1/28]: configuring certificate server instance - ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") - ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: - ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat - [error] RuntimeError: CA configuration failed. - ipapython.admintool: ERRORCA configuration failed. - ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information + [1/28]: configuring certificate server instance + ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") + ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: + ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat + [error] RuntimeError: CA configuration failed. + ipapython.admintool: ERRORCA configuration failed. + ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information - ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: + The cause for this is that tomcat8 is built with JDK9 and is not + compatible with instances that have to use JRE8 for other reasons. - https://pagure.io/dogtagpki/issue/2973 - https://pagure.io/freeipa/issue/7464 + [Test Case] - SYSTEM INFORMATION: + Install freeipa-server, run ipa-server-install. - $ lsb_release -a - No LSB modules are available. - Distributor ID: Ubuntu - Description: Ubuntu Bionic Beaver (development branch) - Release: 18.04 - Codename: bionic + [Regression Potential] - $ sudo dpkg -l | grep freeipa - ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client - ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files - ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server - ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration + The fix is a fairly big patch for tomcat8 to modify the code so that it + runs with JRE8. It passes the upstream test suite though, when run with + JRE8 though tomcat itself was built with the default JDK. - $ sudo dpkg -l | grep dogtag - ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite - ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface - ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface + [Other info] - TO REPRODUCE: - - 1. install freeipa-server and freeipa-server-dns - 2. the following installation options (note I have changed confidential details). - - sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p - XXX --mkhomedir --hostname=example.domain.com --ca-signing- - algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty - Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp - - RESULTS - - 1. The above error is produced. - 2. the pkispawn logs show it waiting for the server and timing out. - -2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' - 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca - 2018-04-20 05:30:27 pkispawn: INFO
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: tomcat8 (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Changed in: freeipa (Ubuntu Bionic) Status: Confirmed => Invalid -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Bumping priority, this breaks more than just freeipa/dogtag. I've uploaded a new version to bionic a week ago which adds support for JRE8, but the patch is big and not yet upstream. ** Changed in: tomcat8 (Ubuntu) Importance: Undecided => Critical ** Changed in: tomcat8 (Ubuntu) Status: New => In Progress ** Changed in: tomcat8 (Ubuntu) Assignee: (unassigned) => Timo Aaltonen (tjaalton) ** Also affects: freeipa (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: tomcat8 (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Confirmed Status in tomcat8 source package in Bionic: Confirmed Bug description: DESCRIPTION The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: https://pagure.io/dogtagpki/issue/2973 https://pagure.io/freeipa/issue/7464 SYSTEM INFORMATION: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 Codename: bionic $ sudo dpkg -l | grep freeipa ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration $ sudo dpkg -l | grep dogtag ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface TO REPRODUCE: 1. install freeipa-server and freeipa-server-dns 2. the following installation options (note I have changed confidential details). sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p XXX --mkhomedir --hostname=example.domain.com --ca-signing- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp RESULTS 1. The above error is produced. 2. the pkispawn logs show it waiting for the server and timing out. 2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca 2018-04-20 05:30:27 pkispawn: INFO ... waiting for server to start (1s) 2018-04-20 05:30:28 pkispawn: INFO ... waiting for server to start (2s) 2018-04-20 05:30:29 pkispawn: INFO ... waiting for server to start (3s) 2018-04-20 05:30:30 pkispawn: INFO ... waiting for server to start (4s) 2018-04-20 05:30:31 pkispawn: INFO ... waiting for server to start (5s) ... 2018-04-20 05:31:22
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Changed in: freeipa (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: New Bug description: DESCRIPTION The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: https://pagure.io/dogtagpki/issue/2973 https://pagure.io/freeipa/issue/7464 SYSTEM INFORMATION: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 Codename: bionic $ sudo dpkg -l | grep freeipa ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration $ sudo dpkg -l | grep dogtag ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface TO REPRODUCE: 1. install freeipa-server and freeipa-server-dns 2. the following installation options (note I have changed confidential details). sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p XXX --mkhomedir --hostname=example.domain.com --ca-signing- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp RESULTS 1. The above error is produced. 2. the pkispawn logs show it waiting for the server and timing out. 2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca 2018-04-20 05:30:27 pkispawn: INFO ... waiting for server to start (1s) 2018-04-20 05:30:28 pkispawn: INFO ... waiting for server to start (2s) 2018-04-20 05:30:29 pkispawn: INFO ... waiting for server to start (3s) 2018-04-20 05:30:30 pkispawn: INFO ... waiting for server to start (4s) 2018-04-20 05:30:31 pkispawn: INFO ... waiting for server to start (5s) ... 2018-04-20 05:31:22 pkispawn: INFO ... waiting for server to start (56s) 2018-04-20 05:31:23 pkispawn: INFO ... waiting for server to start (57s) 2018-04-20 05:31:24 pkispawn: INFO ... waiting for server to start (58s) 2018-04-20 05:31:25 pkispawn: INFO ... waiting for server to start (59s) 2018-04-20 05:31:26 pkispawn: ERROR... server did not start after 60s 2018-04-20 05:31:26 pkispawn: ERROR... server failed to restart 2018-04-20 05:31:26 pkispawn: DEBUG... Error Type: Exception 2018-04-20
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
I was able to reproduce this, and the cause is tomcat8 built against newer JDK now with 8.5.30-1 ** Also affects: tomcat8 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Incomplete Status in tomcat8 package in Ubuntu: New Bug description: DESCRIPTION The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: https://pagure.io/dogtagpki/issue/2973 https://pagure.io/freeipa/issue/7464 SYSTEM INFORMATION: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 Codename: bionic $ sudo dpkg -l | grep freeipa ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration $ sudo dpkg -l | grep dogtag ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface TO REPRODUCE: 1. install freeipa-server and freeipa-server-dns 2. the following installation options (note I have changed confidential details). sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p XXX --mkhomedir --hostname=example.domain.com --ca-signing- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp RESULTS 1. The above error is produced. 2. the pkispawn logs show it waiting for the server and timing out. 2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca 2018-04-20 05:30:27 pkispawn: INFO ... waiting for server to start (1s) 2018-04-20 05:30:28 pkispawn: INFO ... waiting for server to start (2s) 2018-04-20 05:30:29 pkispawn: INFO ... waiting for server to start (3s) 2018-04-20 05:30:30 pkispawn: INFO ... waiting for server to start (4s) 2018-04-20 05:30:31 pkispawn: INFO ... waiting for server to start (5s) ... 2018-04-20 05:31:22 pkispawn: INFO ... waiting for server to start (56s) 2018-04-20 05:31:23 pkispawn: INFO ... waiting for server to start (57s) 2018-04-20 05:31:24 pkispawn: INFO ... waiting for server to start (58s) 2018-04-20 05:31:25 pkispawn: INFO ... waiting for server to start (59s) 2018-04-20 05:31:26 pkispawn: ERROR... server did not start after 60s 2018-04-20 05:31:26 pkispawn: ERROR... server failed
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
curl/ssl not working is probably because the setup didn't get far enough, check /var/log/pki/pki-tomcat/* for errors Are you able to reproduce the setup error each time? The setup is racy on slower machines where the tomcat startup takes "long", some later steps can fail because of that but I haven't seen it this early. The upstream issues seem fixed already, and we have those versions. The error was different there anyway. ** Changed in: freeipa (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Incomplete Bug description: DESCRIPTION The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: https://pagure.io/dogtagpki/issue/2973 https://pagure.io/freeipa/issue/7464 SYSTEM INFORMATION: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 Codename: bionic $ sudo dpkg -l | grep freeipa ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration $ sudo dpkg -l | grep dogtag ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface TO REPRODUCE: 1. install freeipa-server and freeipa-server-dns 2. the following installation options (note I have changed confidential details). sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p XXX --mkhomedir --hostname=example.domain.com --ca-signing- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp RESULTS 1. The above error is produced. 2. the pkispawn logs show it waiting for the server and timing out. 2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca 2018-04-20 05:30:27 pkispawn: INFO ... waiting for server to start (1s) 2018-04-20 05:30:28 pkispawn: INFO ... waiting for server to start (2s) 2018-04-20 05:30:29 pkispawn: INFO ... waiting for server to start (3s) 2018-04-20 05:30:30 pkispawn: INFO ... waiting for server to start (4s) 2018-04-20 05:30:31 pkispawn: INFO ... waiting for server to start (5s) ... 2018-04-20 05:31:22 pkispawn: INFO ... waiting for server to start (56s) 2018-04-20 05:31:23 pkispawn: INFO ... waiting for server to start (57s) 2018-04-20 05:31:24 pkispawn: INFO ... waiting for
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
I would also like to ask why freeipa version in this Ubuntu release when from the intended 4.6 to what appears to be 4.7? -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: New Bug description: DESCRIPTION The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: https://pagure.io/dogtagpki/issue/2973 https://pagure.io/freeipa/issue/7464 SYSTEM INFORMATION: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 Codename: bionic $ sudo dpkg -l | grep freeipa ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- client ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64FreeIPA centralized identity framework -- server ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration $ sudo dpkg -l | grep dogtag ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface TO REPRODUCE: 1. install freeipa-server and freeipa-server-dns 2. the following installation options (note I have changed confidential details). sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXX -p XXX --mkhomedir --hostname=example.domain.com --ca-signing- algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp RESULTS 1. The above error is produced. 2. the pkispawn logs show it waiting for the server and timing out. 2018-04-20 05:30:19 pkispawn: INFO ... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-04-20 05:30:26 pkispawn: INFO ... checking https://example.com:8443/ca 2018-04-20 05:30:27 pkispawn: INFO ... waiting for server to start (1s) 2018-04-20 05:30:28 pkispawn: INFO ... waiting for server to start (2s) 2018-04-20 05:30:29 pkispawn: INFO ... waiting for server to start (3s) 2018-04-20 05:30:30 pkispawn: INFO ... waiting for server to start (4s) 2018-04-20 05:30:31 pkispawn: INFO ... waiting for server to start (5s) ... 2018-04-20 05:31:22 pkispawn: INFO ... waiting for server to start (56s) 2018-04-20 05:31:23 pkispawn: INFO ... waiting for server to start (57s) 2018-04-20 05:31:24 pkispawn: INFO ... waiting for server to start (58s) 2018-04-20 05:31:25 pkispawn: INFO ... waiting for server to start (59s) 2018-04-20 05:31:26 pkispawn: ERROR... server did not start after 60s 2018-04-20 05:31:26 pkispawn: ERROR... server failed to restart 2018-04-20 05:31:26 pkispawn: DEBUG... Error Type: Exception