When trying to convert CA-less master to CA-full, the ipa-ca-install command fails with:
# ipa-ca-install -p Secret123 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server user [2/30]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdVpOj5' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed.
In the CA installation logs I can see this error:
2017-04-07T14:00:17Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170407140017.log Loading deployment configuration from /tmp/tmpdVpOj5. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: Directory '/etc/pki/pki-tomcat' already exists! 2017-04-07T14:00:17Z DEBUG stderr=pkispawn : ERROR ....... Directory '/etc/pki/pki-tomcat' already exists! 2017-04-07T14:00:17Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpdVpOj5' returned non-zero exit status 1 2017-04-07T14:00:17Z CRITICAL See the installation logs and the following files/directories for more information: 2017-04-07T14:00:17Z CRITICAL /var/log/pki/pki-tomcat 2017-04-07T14:00:17Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 624, in __spawn_instance nolog_list=(self.dm_password, self.admin_password, pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 395, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
The CA deployment scriptlel complains about existing directory, however this directory did not exist before calling ipa-ca-install:
# ls /etc/pki/ CA ca-trust consumer default.cfg entitlement java nssdb pki.conf pki.version rpm-gpg rsyslog tls
This seems to be a regression either in FreeIPA's configuration setup, or in Dogtag CA spawn machinery.
Versions:
# rpm -q freeipa-server pki-ca freeipa-server-4.5.0.dev201704071057+gitab27067-0.fc25.x86_64 pki-ca-10.3.5-11.fc25.noarch
Steps to reproduce: 1.) install CA-less ipa server w/ 3rd party HTTP/DS/PKINIT certificates 2.) ipa-ca-install -p DM_PASSWORD
Actual results: Installation of Dogtag CA instance fails
Expected results: CA is successfuly deployed and functional
Attached are the IPA CA install log and PKI CA instance spawn log.
Metadata Update from @mbabinsk: - Issue priority set to: critical - Issue tagged with: regression
Metadata Update from @stlaz: - Issue assigned to stlaz
master:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
Metadata Update from @pvomacka: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441718
Issue linked to Bugzilla: Bug 1441718
Log in to comment on this ticket.