#2247 ipa-kra-install fails when using pki-kra 10.3.0-a1-2
Closed: Fixed None Opened 8 years ago by mbabinsk.

When setting up KRA subsystem clone on FreeIPA replica using ipa-kra-install, then installation fails with the following error:

[root@replica1 ~]# ipa-kra-install 
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: creating installation admin user
  [2/8]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

In the installation log, the following error can be found:

2016-03-29T12:10:20Z DEBUG Starting external process
2016-03-29T12:10:20Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4
2016-03-29T12:10:22Z DEBUG Process finished, return code=1
2016-03-29T12:10:22Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20160329121020.log
Loading deployment configuration from /tmp/tmp5aWeE4.
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

Installation failed.


2016-03-29T12:10:22Z DEBUG stderr=IncorrectPasswordException: Incorrect client security database password.

The pki-kra-spawn log contains the following:

2016-03-29 12:10:22 pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_WEB_SERVER_TYPE]' ==> 'tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_USER]' ==> 'pkiuser'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_GROUP]' ==> 'pkiuser'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_NAME]' ==> 'pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_PATH]' ==> '/var/lib/pki/pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_INITSCRIPT]' ==> '/var/lib/pki/pki-tomcat/pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_LOCKDIR]' ==> '/var/lock/pki/tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_PIDDIR]' ==> '/var/run/pki/tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_UNSECURE_PORT]' ==> '8080'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[TOMCAT_PIDFILE]' ==> '/var/run/pki/tomcat/pki-tomcat.pid'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
2016-03-29 12:10:22 pkispawn    : INFO     ... generating 'pki.server.deployment.scriptlets.security_databases'
2016-03-29 12:10:22 pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 660 /etc/pki/pki-tomcat/password.conf
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/password.conf
2016-03-29 12:10:22 pkispawn    : INFO     ....... Security databases '/etc/pki/pki-tomcat/alias/cert8.db', '/etc/pki/pki-tomcat/alias/key3.db', and/or '/etc/pki/pki-tomcat/alias/secmod.db' already exist!
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/cert8.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/cert8.db
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/key3.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/key3.db
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/secmod.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/secmod.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2016-03-29 12:10:22 pkispawn    : DEBUG    ....... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/tmpfivCZ2', '--pkcs12-password-file', '/tmp/tmpfXzW3F/password.txt', '--no-user-certs']' returned non-zero exit status 255
2016-03-29 12:10:22 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 524, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 128, in spawn
    no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)

Steps to reproduce:

1.) setup a FreeIPA master w/ KRA

2.) install a replica with CA

3.) install KRA on the replica

Expected results:

KRA is installed and functional

Actual results:

KRA clone installation fails


Fixed in master:

  • 58b78bd1602e3efeb33a73f8d07a6edaaee104ba
  • 061bec70264c2c7a601ffe80846ef1fa5497c15c

Note that there is another error similar to ticket #2226 that blocks KRA installation on IPA replica.

Metadata Update from @mbabinsk:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.0.b1

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2367

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata