** Description changed: - DESCRIPTION + [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes - [1/28]: configuring certificate server instance - ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") - ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: - ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat - [error] RuntimeError: CA configuration failed. - ipapython.admintool: ERROR CA configuration failed. - ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information + [1/28]: configuring certificate server instance + ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") + ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: + ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat + [error] RuntimeError: CA configuration failed. + ipapython.admintool: ERROR CA configuration failed. + ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information - ISSUES APPEARS TO BE THE SAME AS THAT FOUND IN: + The cause for this is that tomcat8 is built with JDK9 and is not + compatible with instances that have to use JRE8 for other reasons. - https://pagure.io/dogtagpki/issue/2973 - https://pagure.io/freeipa/issue/7464 + [Test Case] - SYSTEM INFORMATION: + Install freeipa-server, run ipa-server-install. - $ lsb_release -a - No LSB modules are available. - Distributor ID: Ubuntu - Description: Ubuntu Bionic Beaver (development branch) - Release: 18.04 - Codename: bionic + [Regression Potential] - $ sudo dpkg -l | grep freeipa - ii freeipa-client 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- client - ii freeipa-common 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- common files - ii freeipa-server 4.7.0~pre1+git20180411-2ubuntu1 amd64 FreeIPA centralized identity framework -- server - ii freeipa-server-dns 4.7.0~pre1+git20180411-2ubuntu1 all FreeIPA centralized identity framework -- IPA DNS integration + The fix is a fairly big patch for tomcat8 to modify the code so that it + runs with JRE8. It passes the upstream test suite though, when run with + JRE8 though tomcat itself was built with the default JDK. - $ sudo dpkg -l | grep dogtag - ii dogtag-pki 10.6.0-1ubuntu1 all Dogtag Public Key Infrastructure (PKI) Suite - ii dogtag-pki-console-theme 10.6.0-1ubuntu1 all Certificate System - PKI Console User Interface - ii dogtag-pki-server-theme 10.6.0-1ubuntu1 all Certificate System - PKI Server User Interface + [Other info] - TO REPRODUCE: - - 1. install freeipa-server and freeipa-server-dns - 2. the following installation options (note I have changed confidential details). - - sudo ipa-server-install -r EXAMPLE.COM -n example.com -a XXXXXXX -p - XXXXXXX --mkhomedir --hostname=example.domain.com --ca-signing- - algorithm=SHA512withRSA --subject="OU=Office of Funny Walks,O=Monty - Python,L=London,ST=Greater London,C=UK" --unattended --no-ntp - - RESULTS - - 1. The above error is produced. - 2. the pkispawn logs show it waiting for the server and timing out. - - 2018-04-20 05:30:19 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat' - 2018-04-20 05:30:26 pkispawn : INFO ........... checking https://example.com:8443/ca - 2018-04-20 05:30:27 pkispawn : INFO ........... waiting for server to start (1s) - 2018-04-20 05:30:28 pkispawn : INFO ........... waiting for server to start (2s) - 2018-04-20 05:30:29 pkispawn : INFO ........... waiting for server to start (3s) - 2018-04-20 05:30:30 pkispawn : INFO ........... waiting for server to start (4s) - 2018-04-20 05:30:31 pkispawn : INFO ........... waiting for server to start (5s) - - ... - - 2018-04-20 05:31:22 pkispawn : INFO ........... waiting for server to start (56s) - 2018-04-20 05:31:23 pkispawn : INFO ........... waiting for server to start (57s) - 2018-04-20 05:31:24 pkispawn : INFO ........... waiting for server to start (58s) - 2018-04-20 05:31:25 pkispawn : INFO ........... waiting for server to start (59s) - 2018-04-20 05:31:26 pkispawn : ERROR ........... server did not start after 60s - 2018-04-20 05:31:26 pkispawn : ERROR ....... server failed to restart - 2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Type: Exception - 2018-04-20 05:31:26 pkispawn : DEBUG ....... Error Message: server failed to restart - 2018-04-20 05:31:26 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 534, in main - scriptlet.spawn(deployer) - File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1022, in spawn - raise Exception("server failed to restart") - - 3. Tomcat services appear to be running - - systemctl -l status pki-tomcatd - ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time - Loaded: loaded (/etc/init.d/pki-tomcatd; generated) - Active: active (running) since Fri 2018-04-20 06:42:42 UTC; 28min ago - Docs: man:systemd-sysv-generator(8) - Process: 23764 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=0/SUCCESS) - Tasks: 98 (limit: 4915) - CGroup: /system.slice/pki-tomcatd.service - └─23951 /usr/share/pki/java-home/bin/java -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava. - - 4. Trying to curl to ca endpoint results in no response error - - curl -k -v https://example.com:8443/ca - * Trying 10.5.8.88... - * TCP_NODELAY set - * Connected to example.com (10.5.8.88) port 8443 (#0) - * ALPN, offering h2 - * ALPN, offering http/1.1 - * successfully set certificate verify locations: - * CAfile: /etc/ssl/certs/ca-certificates.crt - CApath: /etc/ssl/certs - * TLSv1.2 (OUT), TLS handshake, Client hello (1): - * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443 - * Closing connection 0 - curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:8443 + Patch will be sent upstream too.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
