On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote: > Hey, > > Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. > It fails setting up the certificate server (pki-tomcatd). > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/28]: configuring certificate server instance > ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: > CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', > '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR > ....... subprocess.CalledProcessError: Command '['sysctl', > 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn > : ERROR ........... server did not start after 60s\npkispawn : ERROR > ....... server failed to restart\n") > ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the > following files/directories for more information: > ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > ipapython.admintool: ERROR CA configuration failed. > ipapython.admintool: ERROR The ipa-server-install command failed. See > /var/log/ipaserver-install.log for more information > > The failing command is: sysctl crypto.fips_enabled -bn > On my system there is no /proc/sys/crypto. > > BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. > That should not matter, because none of my Ubuntu systems (16.04 and 18.04) > have /proc/sys/crypto. > > The problem seems to be in pki/server/deployment/pkihelper.py > When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled > or even /proc/sys/crypto > it raises an exception. > > Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be > used in pkihelper.py ?
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc, But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
