On 06/27/2018 10:25 AM, Rob Crittenden wrote:
John Morris via FreeIPA-users wrote:
On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s',
'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1:
u"pkispawn : ERROR ....... subprocess.CalledProcessError:
Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero
exit status 255!\npkispawn : ERROR ........... server did not
start after 60s\npkispawn : ERROR ....... server failed to
restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed.
See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn
On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
That should not matter, because none of my Ubuntu systems (16.04 and
18.04)
have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py
When the sysctl commands fails due to a missing
/proc/sys/crypto/fips_enabled or even /proc/sys/crypto
it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't
that be
used in pkihelper.py ?
I see this same error running the `fedora-27` Docker container (FreeIPA
4.6.3) on CoreOS Container Linux, which also doesn't have
/proc/sys/crypto. I went ahead and filed an issue on Pagure [1].
Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of
a F27 on bare metal environment?
Lots run it in VMs, I don't know about containers. LXC containers aren't
at all tested so you are blazing new ground.
Can you update the ticket with your research details from this thread,
or just add a pointer to the thread?
We'll need to file a sister bug against dogtag to actually the fix the
issue.
Thanks, Rob.
I updated the FreeIPA issue: https://pagure.io/freeipa/issue/7608
And created a Dogtag PKI issue: https://pagure.io/dogtagpki/issue/3039
Also, I have a long-standing issue tracking FreeIPA 4.6 support in
containers (though not much relevant to this specific issue yet):
https://github.com/freeipa/freeipa-container/issues/157
John
rob
Thanks-
John
[1]: https://pagure.io/freeipa/issue/7608
As a workaround I applied this patch
--- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000
+++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000
@@ -2304,11 +2304,10 @@
extra=config.PKI_INDENTATION_LEVEL_3)
return False
except subprocess.CalledProcessError as exc:
- config.pki_log.error(
- log.PKI_SUBPROCESS_ERROR_1, exc,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure:
- raise
+ config.pki_log.info(
+ log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ return False
except OSError as exc:
config.pki_log.error(
log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like
a tomcat
version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s',
'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1:
u'pkispawn : ERROR ........... server did not start after
60s\npkispawn : ERROR ....... server failed to restart\n')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed.
See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException
/var/log/pki/pki-tomcat/catalina.out
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
java.io.FileNotFoundException:
/usr/share/java/tomcat-annotations-api.jar (No such file or directory)
java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such
file or directory)
java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such
file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno*
-rw-r--r-- 1 root root 12389 Apr 19 11:53
/usr/share/java/tomcat8-annotations-api-8.5.30.jar
lrwxrwxrwx 1 root root 34 Apr 19 11:53
/usr/share/java/tomcat8-annotations-api.jar ->
tomcat8-annotations-api-8.5.30.jar
root@usrv1:~# ls -l /usr/share/java/el-api*
-rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar
root@usrv1:~# ls -l /usr/share/java/oscach*
ls: cannot access '/usr/share/java/oscach*': No such file or directory
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]/message/LCNQ5DLEJHMJMDHSXQVMNDL67K5LIXDM/
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]/message/2JCY5ZZG6NYZA42ABSZIEJS2YYEJ6MFY/
