When setting up KRA subsystem clone on FreeIPA replica using ipa-kra-install, then installation fails with the following error:
ipa-kra-install
[root@replica1 ~]# ipa-kra-install Directory Manager password: =================================================================== This program will setup Dogtag KRA for the FreeIPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [1/8]: creating installation admin user [2/8]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run ipa-kra-install --uninstall to clean up. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
In the installation log, the following error can be found:
2016-03-29T12:10:20Z DEBUG Starting external process 2016-03-29T12:10:20Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4 2016-03-29T12:10:22Z DEBUG Process finished, return code=1 2016-03-29T12:10:22Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20160329121020.log Loading deployment configuration from /tmp/tmp5aWeE4. Installing KRA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg. Installation failed. 2016-03-29T12:10:22Z DEBUG stderr=IncorrectPasswordException: Incorrect client security database password.
The pki-kra-spawn log contains the following:
2016-03-29 12:10:22 pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_WEB_SERVER_TYPE]' ==> 'tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_USER]' ==> 'pkiuser' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_GROUP]' ==> 'pkiuser' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_NAME]' ==> 'pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_PATH]' ==> '/var/lib/pki/pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_INITSCRIPT]' ==> '/var/lib/pki/pki-tomcat/pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_LOCKDIR]' ==> '/var/lock/pki/tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_PIDDIR]' ==> '/var/run/pki/tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_UNSECURE_PORT]' ==> '8080' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[TOMCAT_PIDFILE]' ==> '/var/run/pki/tomcat/pki-tomcat.pid' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat 2016-03-29 12:10:22 pkispawn : INFO ... generating 'pki.server.deployment.scriptlets.security_databases' 2016-03-29 12:10:22 pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/password.conf 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/password.conf 2016-03-29 12:10:22 pkispawn : INFO ....... Security databases '/etc/pki/pki-tomcat/alias/cert8.db', '/etc/pki/pki-tomcat/alias/key3.db', and/or '/etc/pki/pki-tomcat/alias/secmod.db' already exist! 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/cert8.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/cert8.db 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/key3.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/key3.db 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/secmod.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/secmod.db 2016-03-29 12:10:22 pkispawn : DEBUG ....... Error Type: CalledProcessError 2016-03-29 12:10:22 pkispawn : DEBUG ....... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/tmpfivCZ2', '--pkcs12-password-file', '/tmp/tmpfXzW3F/password.txt', '--no-user-certs']' returned non-zero exit status 255 2016-03-29 12:10:22 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 524, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 128, in spawn no_user_certs=True) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12 subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 540, in check_call raise CalledProcessError(retcode, cmd)
Steps to reproduce:
1.) setup a FreeIPA master w/ KRA
2.) install a replica with CA
3.) install KRA on the replica
Expected results:
KRA is installed and functional
Actual results:
KRA clone installation fails
attachment kra_logs.zip
Fixed in master:
Note that there is another error similar to ticket #2226 that blocks KRA installation on IPA replica.
Metadata Update from @mbabinsk: - Issue assigned to edewata - Issue set to the milestone: 10.3.0.b1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2367
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.