#6611 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running
Closed: fixed 2 years ago Opened 2 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1409786

Description of problem:

When the dirsrv service, which gets started during the first ipa-server-install
--external-ca phase, is not running when the second phase is run with
--external-cert-file options, the ipa-server-install command fails with

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration
failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install
command failed. See /var/log/ipaserver-install.log for more information

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-14.el7_3.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y ipa-server
2. ipa-server-install --external-ca -r EXAMPLE.TEST -n example.test -p
Secret123 -a Secret123 -U
3. systemctl stop dirsrv@EXAMPLE-TEST.service
4. mkdir /var/tmp/testdb ; cd /var/tmp/testdb
5. certutil -N -d . --empty-password
6. echo -e "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | certutil -S -n "IPA ROOTCA
certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/hostname
-2 -1 -5
7. certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
8. certutil -C -m 2346 -i /root/ipa.csr -o /root/ipa.crt -c "IPA ROOTCA
certificate" -d . -a
9. ipa-server-install --external-cert-file=/root/ipa.crt
--external-cert-file=/var/tmp/testdb/iparootca.crt -r EXAMPLE.TEST -n
example.test -p Secret123 -a Secret123 -U

Actual results:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration
failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install
command failed. See /var/log/ipaserver-install.log for more information

/var/log/ipaserver-install.log ends with

2017-01-03T11:17:54Z DEBUG Starting external process
2017-01-03T11:17:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_
2017-01-03T11:17:54Z DEBUG Process finished, return code=1
2017-01-03T11:17:54Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20170103061754.log
Loading deployment configuration from /tmp/tmp9WqbH_.
ERROR:  Unable to access directory server: Can't contact LDAP server

2017-01-03T11:17:54Z DEBUG stderr=
2017-01-03T11:17:54Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp9WqbH_' returned non-zero exit status 1
2017-01-03T11:17:54Z CRITICAL See the installation logs and the following
files/directories for more information:
2017-01-03T11:17:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-01-03T11:17:54Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-01-03T11:17:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318,
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310,
in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332,
in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586,
in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449,
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446,
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1357, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 773, in install
    ca.install_step_0(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 173, in
install_step_0
    ca_signing_algorithm=options.ca_signing_algorithm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
437, in configure_instance
    self.start_creation(runtime=210)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
590, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2017-01-03T11:17:54Z DEBUG The ipa-server-install command failed, exception:
RuntimeError: CA configuration failed.
2017-01-03T11:17:54Z ERROR CA configuration failed.
2017-01-03T11:17:54Z ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

Expected results:

No error, the installer makes sure that anything that it needs to be running
got started.

Additional info:

This causes problems especially in unattended container installations when
completely new container is run for the second phase and the dirsrv is thus not
up.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

We are seeing this issue too, in Centos 7.3 using the same version of ipa-server. Happy to provide any other information you may need.

ipa-server version: ipa-server-4.4.0-14.el7.centos.7.x86_64

We are running

ipa-replica-install --setup-ca replica-info-server.domain.com.gpg

and seeing this issue.

When we look in /var/log/pki/pki-tomcat/ca/debug

we see a lot of the following, but it doesn't seem catastrophic

 Property internaldb.ldapconn.port missing value
    at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:452)
    at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55)
    at com.netscape.cmscore.ldapconn.LdapConnInfo.<init>(LdapConnInfo.java:45)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123)
    at com.netscape.cmscore.cert.CrossCertPairSubsystem.init(CrossCertPairSubsystem.java:124)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:580)
    at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
    at javax.servlet.GenericServlet.init(GenericServlet.java:158)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
    at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:748)

But the fail happens here:

[http-bio-8443-exec-3]: === Subsystem Configuration ===
[http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipa-master-server.domain.com:443
[http-bio-8443-exec-3]: SystemConfigService: import certificate chain from master
[http-bio-8443-exec-3]: ConfigurationUtils: Searching for SecureAdminPort in CA hosts
[http-bio-8443-exec-3]: ConfigurationUtils: host: ipa-master-server.domain.com
[http-bio-8443-exec-3]: ConfigurationUtils: SecurePort port: 443
[http-bio-8443-exec-3]: ConfigurationUtils: SecureAdminPort port found: 443
[http-bio-8443-exec-3]: ConfigurationUtils.importCertChain()
[http-bio-8443-exec-3]: ConfigurationUtils: GET https://ipa-master-server.domain.com:443/ca/admin/ca/getCertChain
[http-bio-8443-exec-3]: Server certificate:
[http-bio-8443-exec-3]:  - subject: CN=ipa-master-server.domain.com,O=domain.com
[http-bio-8443-exec-3]:  - issuer: CN=Certificate Authority,O=domain.com
[http-bio-8443-exec-3]: SystemConfigService: get configuration entries from master
[http-bio-8443-exec-3]: updateNumberRange start host=ipa-master-server.domain.com adminPort=443 eePort=443
[http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master-server.domain.com:443/ca/admin/ca/updateNumberRange
[http-bio-8443-exec-3]: Server certificate:
[http-bio-8443-exec-3]:  - subject: CN=ipa-master-server.domain.com,O=domain.com
[http-bio-8443-exec-3]:  - issuer: CN=Certificate Authority,O=domain.com
[http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
[http-bio-8443-exec-3]: updateNumberRange: Attempting to contact master using EE port
[http-bio-8443-exec-3]: ConfigurationUtils: POST https://ipa-master-server.domain.com:443/ca/ee/ca/updateNumberRange
[http-bio-8443-exec-3]: Server certificate:
[http-bio-8443-exec-3]:  - subject: CN=ipa-master-server.domain.com,O=domain.com
[http-bio-8443-exec-3]:  - issuer: CN=Certificate Authority,O=domain.com
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201)
    at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:480)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:254)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateNumberRange(ConfigurationUtils.java:656)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.getConfigEntriesFromMaster(ConfigurationUtils.java:556)
    at org.dogtagpki.server.rest.SystemConfigService.configureClone(SystemConfigService.java:882)
    at org.dogtagpki.server.rest.SystemConfigService.configureSubsystem(SystemConfigService.java:1019)
    at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:164)
    at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:181)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:154)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:444)
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201)
    at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:480)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:254)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateNumberRange(ConfigurationUtils.java:656)
    at com.netscape.cms.servlet.csadmin.ConfigurationUtils.getConfigEntriesFromMaster(ConfigurationUtils.java:556)
    at org.dogtagpki.server.rest.SystemConfigService.configureClone(SystemConfigService.java:882)
    at org.dogtagpki.server.rest.SystemConfigService.configureSubsystem(SystemConfigService.java:1019)
    at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:164)
    at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

I somehow managed to miss your earlier comment. These are two separate issues, this one is about installing server with an external CA when deliberately stopping directory server instance in between the two steps of the installation.
You, however, are installing a replica with a CA, that is a different scenario. I wonder at which step the installation is failing for you, if it's at starting of the previously configured CA instance, it's indeed most probably caused by https://pagure.io/freeipa/issue/6766.

Metadata Update from @stlaz:
- Issue close_status updated to: None

2 years ago

Metadata Update from @fbarreto:
- Issue assigned to fbarreto (was: someone)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.7 (was: Future Releases)

2 years ago

master:

  • bf0b74b Checks if Dir Server is installed and running before IPA installation

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

ipa-4-5:
* d20cac7 Checks if Dir Server is installed and running before IPA installation

ipa-4-6:

  • b2bafe8 Checks if Dir Server is installed and running before IPA installation

Milestone updated to FreeIPA 4.5.5

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.7)

a year ago

master:

  • f1f1809 When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
  • 1ad2707 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.

ipatool was not able to backport the PR to 4.5 and 4.6. Please create backport PRs manually.

ipa-4-6:

  • 1a3fc3b When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
  • 522c681 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.

ipa-4-5:

  • fb107bf When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
  • 4240a74 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.

Login to comment on this ticket.

Metadata