Hey,

Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes   [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn    : ERROR    ....... subprocess.CalledProcessError:  Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    : ERROR    ........... server did not start after 60s\npkispawn    : ERROR    ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat   [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR    CA configuration failed. ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.

BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.

The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.

Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?