After upgrading to latest packages of ipaserver and pki-core/dogtag ipaserver doesn't start anymore and hangs at: pki-tomcatd
The system was working before and I install updates as soon as they are available. The problem is since the latest update on 01/19/2017.
After some time it gets a timeout:
[root@ipaserver ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed Aborting ipactl
The Log /var/log/pki/pki-tomcat/ca/selftest.log:
0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8101) Certificate type not approved for application. 0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
This is the ONLY log for selftest.log directly after the upgrade of the server. No further Logs in selftest.log (?!). It seems that I doesn't reach this point anymore.
Here's the output for the certificates:
root@ipaserver pki-tomcat]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,cu,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u
If I try to change the settings for auditSigningCert with:
certutil -M -d /var/lib/pki/pki-tomcat/ca/alias/ -n "auditSigningCert cert-pki-ca" -t "u,u,Pu"
The new permissions are set but "ipactl start" breaks with the same error.
How reproducible:
I'm not sure. Maybe Upgrading to latest ipaserver or pki/dogtag or maybe there was a broken ipa-cacert-manage renew?
Additional info:
Maybe this bug is also related to https://bugzilla.redhat.com/show_bug.cgi?id=1390319
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1415852
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to IPA - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: major
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Issue set to the milestone: FUTURE (was: 10.4)
Petr Vobornik 2017-09-20 04:42:42 EDT
I think this issue can be closed.
Ideal solution would be if Dogtag could do a verification of input without doing an actual installation. So that IPA can run this validation in validation step of IPA installer and not in CA installation step where part of the server is already configured. There is a Dogtag RFE, I believe it is called --dry-run to implement this.
CLOSING issue as DUPLICATE of "Pagure Issue #1727 - Validate input in pkispawn, add dry run option".
Metadata Update from @mharmsen: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: FUTURE)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2744
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.