Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
freeipa-users@lists.fedorahosted.org