So I had a running replica on CentOS 7 LXC which started giving me trouble, so I decided to rebuild it.
Now, when running ipa-replica install I get:
2018-11-04T20:12:20Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2018-11-04T20:12:20Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpyZ34z1' returned non-zero exit status 1
, which seems to cause this to fail. Googling around, I find this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
, where apparently two bugs were filed to fix this- and they were fixed. Are they supposed to land on CentOS 7?
Cheers,
Alex
Alex Corcoles via FreeIPA-users wrote:
So I had a running replica on CentOS 7 LXC which started giving me trouble, so I decided to rebuild it.
Now, when running ipa-replica install I get:
2018-11-04T20:12:20Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2018-11-04T20:12:20Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpyZ34z1' returned non-zero exit status 1
, which seems to cause this to fail. Googling around, I find this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
, where apparently two bugs were filed to fix this- and they were fixed. Are they supposed to land on CentOS 7?
The bug was in dogtag and not in IPA. It looks like this is only fixed in 10.6.3+ upstream. I don't know if they have or plan to backport this to 10.5.x.
The fix is https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486ab12b3e1360a... so I guess worst-case you could manually make the changes before installing.
rob
On Mon, Nov 5, 2018 at 5:36 PM Rob Crittenden rcritten@redhat.com wrote:
The bug was in dogtag and not in IPA. It looks like this is only fixed in 10.6.3+ upstream. I don't know if they have or plan to backport this to 10.5.x.
The fix is
https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486ab12b3e1360a... so I guess worst-case you could manually make the changes before installing.
Oh, should have thought about that. Yeah, will do that and if it works, I'll ask the maintainers of dogtag to backport it. If there are more issues I will report them.
Thanks!
Álex
freeipa-users@lists.fedorahosted.org