Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1462112
Description of problem: With FIPS mode enabled ipa-server install command failed with RuntimeError: CA configuration failed Version-Release number of selected component (if applicable): ipa-server-4.5.0-18.el7.x86_64 sssd-1.15.2-47.el7.x86_64 389-ds-base-1.3.6.1-16.el7.x86_64 pki-server-10.4.1-9.el7.noarch pki-ca-10.4.1-9.el7.noarch selinux-policy-3.13.1-162.el7.noarch samba-4.6.2-6.el7.x86_64 custodia-0.3.1-3.el7.noarch How reproducible: Always Steps to Reproduce: 1. Setup FIPS on RHEL7.4 using the below steps # cat /etc/sysconfig/prelink | grep PRELINKING i.e PRELINKING=no # prelink -u -a # yum install -y dracut-fips # dracut -f # df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 1038336 194432 843904 19% /boot # blkid /dev/sda1 /dev/sda1: UUID="a7c8839b-ee02-4a56-a667-c271bcf3c15e" TYPE="xfs" # vi /etc/default/grub GRUB_CMDLINE_LINUX="fips=1 boot=UUID=a7c8839b-ee02-4a56-a667-c271bcf3c15e crashkernel=auto rd.lvm.lv=rhel_auto-hv-02-guest02/root rd.lvm.lv=rhel_auto-hv-02-guest02/swap console=ttyS0,115200" #. grub2-mkconfig -o /boot/grub2/grub.cfg #. reboot #. sysctl -a | grep fips_enabled crypto.fips_enabled = 1 sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.ens3.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" 2. IPA server is installed with multiple --ip-address, --no-pkinit, --setup-adtrust options #ipa-server-install -p **** -a ***** --ip-address=<ip-address1> --ip-address=<ip-address2> -n TEST.QE -r TEST.QE --hostname=authohv02.testqe.test --setup-dns --setup-adtrust --no-pkinit --no-reverse --forwarder=<ip-address> --no-dnssec-validation --netbios-name=TEST -v -U Actual results: IPA server install fails with the below error Installation failed: server failed to restart 2017-06-16T06:43:27Z DEBUG stderr=pkispawn : ERROR ....... server failed to restart 2017-06-16T06:43:27Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpIBBIdH' returned non-zero exit status 1 2017-06-16T06:43:27Z CRITICAL See the installation logs and the following files/directories for more information: 2017-06-16T06:43:27Z CRITICAL /var/log/pki/pki-tomcat 2017-06-16T06:43:27Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2017-06-16T06:43:27Z DEBUG [error] RuntimeError: CA configuration failed. 2017-06-16T06:43:27Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 578, in main master_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 802, in install ca.install_step_0(False, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0 use_ldaps=standalone) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2017-06-16T06:43:27Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. 2017-06-16T06:43:27Z ERROR CA configuration failed. Expected results: IPA server install should work without any error. Additional info: Attaching console logs.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1462112
Metadata Update from @pvoborni: - Issue assigned to sbose
master:
ipa-4-5:
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.