Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory
On to, 03 touko 2018, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory
If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA.
We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7.
I guess currently you aren't going to get any luck with Ubuntu/Debian builds.
On 03-05-18 16:08, Alexander Bokovoy wrote:
If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA.
We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7.
I guess currently you aren't going to get any luck with Ubuntu/Debian builds.
Thanks, Alexander.
On Ubuntu 16.04 I couldn't get FreeIPA to cooperate with Samba. I had to wait for Samba 4.7 which is included in Ubuntu 18.04. Now that Ubuntu 18.04 is out I have to find out that FreeIPA isn't working at all. I'm not in a happy mood, right now.
Does that mean the Ubuntu/Debian packagers where jumping ahead too quickly to use FreeIPA 4.7? root@usrv1:~# apt policy freeipa-common freeipa-common: Installed: 4.7.0~pre1+git20180411-2ubuntu2 Candidate: 4.7.0~pre1+git20180411-2ubuntu2 Version table: *** 4.7.0~pre1+git20180411-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status
On to, 03 touko 2018, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 16:08, Alexander Bokovoy wrote:
If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA.
We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7.
I guess currently you aren't going to get any luck with Ubuntu/Debian builds.
Thanks, Alexander.
On Ubuntu 16.04 I couldn't get FreeIPA to cooperate with Samba. I had to wait for Samba 4.7 which is included in Ubuntu 18.04. Now that Ubuntu 18.04 is out I have to find out that FreeIPA isn't working at all. I'm not in a happy mood, right now.
Does that mean the Ubuntu/Debian packagers where jumping ahead too quickly to use FreeIPA 4.7? root@usrv1:~# apt policy freeipa-common freeipa-common: Installed: 4.7.0~pre1+git20180411-2ubuntu2 Candidate: 4.7.0~pre1+git20180411-2ubuntu2 Version table: *** 4.7.0~pre1+git20180411-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status
I'd leave to Timo to comment. I suspect those 4.7.0~pre1 are really 4.6.90.pre1 we pushed to Fedora 28. I hope the dependencies include all the related package updates too, but really it is for Timo to address Ubuntu/Debian part.
On 03-05-18 16:42, Alexander Bokovoy wrote:
On to, 03 touko 2018, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 16:08, Alexander Bokovoy wrote:
If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA.
We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7.
I guess currently you aren't going to get any luck with Ubuntu/Debian builds.
Thanks, Alexander.
On Ubuntu 16.04 I couldn't get FreeIPA to cooperate with Samba. I had to wait for Samba 4.7 which is included in Ubuntu 18.04. Now that Ubuntu 18.04 is out I have to find out that FreeIPA isn't working at all. I'm not in a happy mood, right now.
Does that mean the Ubuntu/Debian packagers where jumping ahead too quickly to use FreeIPA 4.7? root@usrv1:~# apt policy freeipa-common freeipa-common: Installed: 4.7.0~pre1+git20180411-2ubuntu2 Candidate: 4.7.0~pre1+git20180411-2ubuntu2 Version table: *** 4.7.0~pre1+git20180411-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status
I'd leave to Timo to comment. I suspect those 4.7.0~pre1 are really 4.6.90.pre1 we pushed to Fedora 28. I hope the dependencies include all the related package updates too, but really it is for Timo to address Ubuntu/Debian part.
For completeness, I created a bug report. https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1768865
On 03.05.2018 13:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
That's not the error you're looking for. Ubuntu has dogtag-pki 10.6.0 which supports Tomcat 8.5, so that's not the issue either.
Problem is that the default java version is now essentially Java10 (will be 11 later this year), and the latest upload of tomcat8 a week before release was then built with this new default instead of JDK8 as the old package which then made it incompatible with dogtag... So I had to create a 4600 line diff for tomcat to still support JRE8 runtime which Dogtag has to use, because it doesn't even build against anything newer.(#1)
So, the big patch for tomcat8 didn't make it in the release, because Kubuntu (of all things..) has it in their image so it couldn't be pushed to the distro on the release day. Instead, the fixed tomcat8 is now sitting on the upload queue waiting for a brave SRU team member (not me) to review it and release to bionic-proposed, after which it can be tested for the bug... (#2) and I marked yours as a dupe of this.
Note that ipa-dns-install is busted, named aborts on start for reasons that are still a mystery to me.
#1 https://pagure.io/dogtagpki/issue/2982 #2 https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616
On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
I see this same error running the `fedora-27` Docker container (FreeIPA 4.6.3) on CoreOS Container Linux, which also doesn't have /proc/sys/crypto. I went ahead and filed an issue on Pagure [1].
Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of a F27 on bare metal environment?
Thanks-
John
[1]: https://pagure.io/freeipa/issue/7608
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory
John Morris via FreeIPA-users wrote:
On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
I see this same error running the `fedora-27` Docker container (FreeIPA 4.6.3) on CoreOS Container Linux, which also doesn't have /proc/sys/crypto. I went ahead and filed an issue on Pagure [1].
Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of a F27 on bare metal environment?
Lots run it in VMs, I don't know about containers. LXC containers aren't at all tested so you are blazing new ground.
Can you update the ticket with your research details from this thread, or just add a pointer to the thread?
We'll need to file a sister bug against dogtag to actually the fix the issue.
rob
Thanks-
John
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
On 06/27/2018 10:25 AM, Rob Crittenden wrote:
John Morris via FreeIPA-users wrote:
On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
Hey,
Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The failing command is: sysctl crypto.fips_enabled -bn On my system there is no /proc/sys/crypto.
BTW. I'm installing in a LXC container, the host is Ubuntu 16.04. That should not matter, because none of my Ubuntu systems (16.04 and 18.04) have /proc/sys/crypto.
The problem seems to be in pki/server/deployment/pkihelper.py When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even /proc/sys/crypto it raises an exception.
Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be used in pkihelper.py ?
I see this same error running the `fedora-27` Docker container (FreeIPA 4.6.3) on CoreOS Container Linux, which also doesn't have /proc/sys/crypto. I went ahead and filed an issue on Pagure [1].
Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of a F27 on bare metal environment?
Lots run it in VMs, I don't know about containers. LXC containers aren't at all tested so you are blazing new ground.
Can you update the ticket with your research details from this thread, or just add a pointer to the thread?
We'll need to file a sister bug against dogtag to actually the fix the issue.
Thanks, Rob.
I updated the FreeIPA issue: https://pagure.io/freeipa/issue/7608
And created a Dogtag PKI issue: https://pagure.io/dogtagpki/issue/3039
Also, I have a long-standing issue tracking FreeIPA 4.6 support in containers (though not much relevant to this specific issue yet): https://github.com/freeipa/freeipa-container/issues/157
John
rob
Thanks-
John
As a workaround I applied this patch --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000 +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000 @@ -2304,11 +2304,10 @@ extra=config.PKI_INDENTATION_LEVEL_3) return False except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise + config.pki_log.info( + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED, + extra=config.PKI_INDENTATION_LEVEL_3) + return False except OSError as exc: config.pki_log.error( log.PKI_OSERROR_1, exc,
But now the pki-tomcat configuration still fails, with what looks like a tomcat version conflict.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn : ERROR ........... server did not start after 60s\npkispawn : ERROR ....... server failed to restart\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory)
root@usrv1:~# ls -l /usr/share/java/tomcat*anno* -rw-r--r-- 1 root root 12389 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api-8.5.30.jar lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar -> tomcat8-annotations-api-8.5.30.jar root@usrv1:~# ls -l /usr/share/java/el-api* -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar root@usrv1:~# ls -l /usr/share/java/oscach* ls: cannot access '/usr/share/java/oscach*': No such file or directory
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org