I tried to install CA, KRA, OCSP and TKS with the newest build from the following rpms: http://mickey.dsdev.sjc.redhat.com/repos/pki/dogtag/10/F20/devel_x86_64/x86_64/ http://mickey.dsdev.sjc.redhat.com/repos/pki/dogtag/10/F20/devel_x86_64/noarch/ but when I tried using the earlier builds the subsystems were installed successfully http://mickey.dsdev.sjc.redhat.com/repos/pki/dogtag/10/F20/20140630-204002/x86_64/ http://mickey.dsdev.sjc.redhat.com/repos/pki/dogtag/10/F20/20140630-204002/noarch/
The error with the newest build was that while installing the CA after the configuration is completed, the system failed to restart i.e. the command systemctl restart pki-tomcatd@<pki-instance-name>.service failed
The SSL server was not up and running and the maximum tries to access the URL were exceeded. I am attaching the logs for reference.
The log file size is exceeding the upload limit here.
I am adding the snippets of the pki-ca-spawn log here for reference: INFO ....... executing 'systemctl daemon-reload'
2014-07-14 14:12:07 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-ipa.service'
2014-07-14 14:12:07 pkispawn : DEBUG ........... No connection - server may still be down
2014-07-14 14:12:07 pkispawn : DEBUG ........... No connection - exception thrown: HTTPSConnectionPool(host='idm-qe-01.lab.eng.rdu2.redhat.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by <class 'socket.error'>: [Errno 111] Connection refused)
2014-07-14 14:12:11 pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.0-0.5.20140714T0343zgitcabfda3.fc20</Version></XMLResponse>
2014-07-14 14:12:12 pkispawn : INFO ....... constructing PKI configuration data.
2014-07-14 14:12:12 pkispawn : INFO
2014-07-14 14:12:37 pkispawn : DEBUG ....... saving CA idm-qe 01.lab.eng.rdu2.redhat.com 8443 Admin Certificate to file: '/opt/rhqa_pki/ca_admin.cert'
2014-07-14 14:12:37 pkispawn : INFO ....... AtoB /opt/rhqa_pki/ca_admin.cert /opt/rhqa_pki/ca_admin.cert.der
2014-07-14 14:12:37 pkispawn : INFO ....... certutil -A -d /opt/rhqa_pki/certs_db -n caadmincert -t u,u,u -i /opt/rhqa_pki/ca_admin.cert.der -f /opt/rhqa_pki/ca/password.conf
2014-07-14 14:12:37 pkispawn : INFO ....... pk12util -d /opt/rhqa_pki/certs_db -o /opt/rhqa_pki/caadmincert.p12 -n caadmincert -w /opt/rhqa_pki/ca/pkcs12_password.conf -k /opt/rhqa_pki/ca/password.conf
2014-07-14 14:12:37 pkispawn : INFO ... finalizing 'pki.server.deployment.scriptlets.finalization'
2014-07-14 14:12:37 pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-ipa/ca/deployment.cfg /var/log/pki/pki-ipa/ca/archive/spawn_deployment.cfg.20140714141205
2014-07-14 14:12:37 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-ipa/ca/archive/spawn_deployment.cfg.20140714141205
2014-07-14 14:12:37 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-ipa/ca/archive/spawn_deployment.cfg.20140714141205
2014-07-14 14:12:37 pkispawn : INFO ....... generating manifest file called '/etc/sysconfig/pki/tomcat/pki-ipa/ca/manifest'
2014-07-14 14:12:37 pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-ipa/ca/manifest /var/log/pki/pki-ipa/ca/archive/spawn_manifest.20140714141205
2014-07-14 14:12:37 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-ipa/ca/archive/spawn_manifest.20140714141205
2014-07-14 14:12:37 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-ipa/ca/archive/spawn_manifest.20140714141205
2014-07-14 14:12:37 pkispawn : INFO ....... executing 'systemctl daemon-reload'
2014-07-14 14:12:37 pkispawn : INFO ....... executing 'systemctl restart pki-tomcatd@pki-ipa.service'
2014-07-14 14:12:38 pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['systemctl', 'restart', 'pki-tomcatd@pki-ipa.service']' returned non-zero exit status 1!
2014-07-14 14:12:38 pkispawn : DEBUG ....... Error Type: CalledProcessError
2014-07-14 14:12:38 pkispawn : DEBUG ....... Error Message: Command '['systemctl', 'restart', 'pki-tomcatd@pki-ipa.service']' returned non-zero exit status 1
2014-07-14 14:12:38 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 514, in main rv = instance.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/finalization.py", line 72, in spawn deployer.systemd.restart()
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3416, in restart subprocess.check_call(command)
File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd)
These AVC denied messages shows up:
type=AVC msg=audit(1405378027.744:246): avc: denied { setfscreate } for pid=22609 comm="cp" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process type=AVC msg=audit(1405378027.745:247): avc: denied { relabelfrom } for pid=22609 comm="cp" name="CS.cfg.bak.20140714184707" dev="dm-1" ino=266860 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file type=AVC msg=audit(1405378027.747:248): avc: denied { create } for pid=22610 comm="ln" name="CS.cfg.bak" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
There's a ticket for selinux-policy-targeted to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=1117673
In the meantime, if it's possible to put SELinux into permissive mode, that will get things moving again.
Since this ticket is dependent upon a change to the system SELinux policy; it still needs to be determined if a short-term work-around needs to be implemented (e. g. - performing a copy rather than a symlink).
Leaving this ticket in TRIAGE for now. However, if a work-around is required, then this ticket needs to be placed into the 10.2 (July) milestone; otherwise, it should be able to be closed as WORKSFORME.
Proposed CLOSE WORKSFORME. 07/21/2014 - Determined that we would leave this ticket opened in TRIAGE until such time as the SELinux issue is resolved at which time we will close this ticket as WORKSFORME.
Per CS/DS meeting of 08/04/2014: closed as INVALID since this is not a Dogtag bug.
Metadata Update from @saipandi: - Issue set to the milestone: 10.2 - 08/14 (August)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1635
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.