KRA installation using ipa-kra-install fails on F23 with the following error message:
2015-10-20T09:27:11Z DEBUG stderr=pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed to import certificate chain from security domain master: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId."} 2015-10-20T09:27:11Z CRITICAL Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp2qgsHS'' returned non-zero exit status 1 2015-10-20T09:27:11Z CRITICAL See the installation logs and the following files/directories for more information: 2015-10-20T09:27:11Z CRITICAL /var/log/pki-ca-install.log 2015-10-20T09:27:11Z CRITICAL /var/log/pki/pki-tomcat 2015-10-20T09:27:11Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 416, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 406, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 258, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: KRA configuration failed. 2015-10-20T09:27:11Z DEBUG [error] RuntimeError: KRA configuration failed. 2015-10-20T09:27:11Z ERROR Your system may be partly configured. Run ipa-kra-install --uninstall to clean up. 2015-10-20T09:27:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 187, in run self._run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 180, in _run kra.install(api, replica_config, self.options) File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 63, in install options.dm_password, subject_base=subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 129, in configure_instance self.start_creation(runtime=126) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 416, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 406, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py", line 258, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2015-10-20T09:27:11Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed. 2015-10-20T09:27:11Z ERROR KRA configuration failed.
The problem seems to be IPA-specific as standalone CA and KRA installation on F23 without IPA works just fine. Also IPA installation with CA and KRA on F22 works just fine too.
It seems that the HTTPD proxy was rejecting KRA requests to CA and returns an unparseable response. The following operation appears in HTTPD access log but not in the CA's access log:
10.34.78.40 - - [20/Oct/2015:11:27:10 +0200] "POST /ca/admin/ca/getCertChain HTTP/1.0" 400 226
Here are the packages currently installed:
Steps to reproduce:
Actual result: The KRA installation fails with the above message.
Expected result: The KRA installation should complete successfully.
I cannot reproduce this, it works for me on F23 with the same packages version as listed above.
Did you try reinstall kra after this failure? Are you able to reproduce this?
I was able to reproduce the problem consistently on a newly created F23 VM with the latest packages, and the problem persists after reinstalling KRA.
The new VM has the following packages in addition the pki and freeipa packages listed above:
I was able to fix the problem by replacing the outdated HTTP client in PKI (https://fedorahosted.org/pki/ticket/342). Once the fix is released, please update the IPA dependency.
Again, the problem only appears in IPA installation. Standalone CA and KRA installation doesn't have this problem.
The fix for PKI has been pushed to the master branch which will be released in 10.3. If you need the fix in PKI 10.2.x please let us know.
I can also reproduce it - tried on fully upgraded F23. Whatever PKI version which lands in F23 is fine.
The fix has been released in pki-core-10.2.6-11.fc23: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4a665f0ec0
Metadata Update from @edewata: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.