ipa-ca-install after ipa-replica-install fails on new replica. With same configuration ipa-replica-install --setup-ca works perfectly fine.
ipa-ca-install
ipa-replica-install
ipa-replica-install --setup-ca
[3/24]: creating installation admin user [4/24]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpjrksikcn'] returned non-zero exit status 1: 'password file contains no data\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed.
No error
freeipa-server-4.6.90.pre1.dev201804251017+git04e1ae7bf-0.fc28.x86_64 freeipa-client-4.6.90.pre1.dev201804251017+git04e1ae7bf-0.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.8-1.fc28.x86_64 pki-ca-10.6.0-1.fc28.noarch krb5-server-1.16-23.fc28.x86_64
# certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Directory Server CA certificate CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,P subsystemCert cert-pki-ca ,, Server-Cert cert-pki-ca CTu,Cu,Cu
2018-04-25T16:04:45Z DEBUG Starting external process 2018-04-25T16:04:45Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpjrksikcn'] 2018-04-25T16:05:20Z DEBUG Process finished, return code=1 2018-04-25T16:05:20Z DEBUG stdout=--------------- 4 entries found --------------- Certificate ID: 47ea734fe8fe15142937b4285e0e0e4aa2d9ac31 Serial Number: 0x1 Friendly Name: caSigningCert cert-pki-ca Subject DN: CN=Certificate Authority,O=IPA.EXAMPLE Issuer DN: CN=Certificate Authority,O=IPA.EXAMPLE Trust Flags: u,u,u Has Key: true Certificate ID: 631bc51d9be52623c96bd9948104aeb3c81de87a Serial Number: 0x2 Friendly Name: ocspSigningCert cert-pki-ca Subject DN: CN=OCSP Subsystem,O=IPA.EXAMPLE Issuer DN: CN=Certificate Authority,O=IPA.EXAMPLE Trust Flags: u,u,u Has Key: true Certificate ID: 8bc802d6232f7c87a6dfb22ca422c35d06e046aa Serial Number: 0x5 Friendly Name: auditSigningCert cert-pki-ca Subject DN: CN=CA Audit,O=IPA.EXAMPLE Issuer DN: CN=Certificate Authority,O=IPA.EXAMPLE Trust Flags: u,u,u Has Key: true Certificate ID: b33958aec97229781ef18a797b6b3e94bfc37086 Serial Number: 0x4 Friendly Name: subsystemCert cert-pki-ca Subject DN: CN=CA Subsystem,O=IPA.EXAMPLE Issuer DN: CN=Certificate Authority,O=IPA.EXAMPLE Trust Flags: u,u,u Has Key: true --------------- Import complete --------------- Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,P subsystemCert cert-pki-ca ,, Log file: /var/log/pki/pki-ca-spawn.20180425180447.log Loading deployment configuration from /tmp/tmpjrksikcn. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12: Imported certificates in /etc/pki/pki-tomcat/alias: Installation failed: <!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> java.lang.Exception: Missing system certificate: caSigningCert cert-pki-ca</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.Exception: Missing system certificate: caSigningCert cert-pki-ca org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:742) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
The issue is probably related to https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Confirmed, the issue is caused by the bug. I was able to track the problem down to a mismatch between DBM and SQL layer in NSS's softokn. The DBM layer had a special case for CKA_LABEL of CKO_CERTIFICATE, see comment https://bugzilla.redhat.com/show_bug.cgi?id=1568271#c2
I submitted a patch and have built a patched nss-softokn package on @freeipa/freeipa-master COPR. With the patched package, the bug is gone.
@cheimes I will review your NSS patch, tonight or tomorrow (i.e. expect feedback before Tuesday AM your time).
Thanks @ftweedal
@cheimes I had one comment about the patch but it seems NSS devel rejected the approach. I'm working on a change in FreeIPA to avoid the issue.
Bob is working on the issue and has provided patched builds on the BZ.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
OK, yeah I'm in favour of Bob's patch.
There are still more places where the changed behaviour bites us, e.g. ipa-certupdate.
master:
The test passes in the nightly run on F27 with new dogtag packages and new nss: https://fedorapeople.org/groups/freeipa/prci/jobs/2e2ff33e-57d4-11e8-b865-fa163e66cd89/-TestInstallWithCA1--test_replica0_ipa_ca_install/replica0.ipa.test/var/log/
According to https://fedorapeople.org/groups/freeipa/prci/jobs/2e2ff33e-57d4-11e8-b865-fa163e66cd89/installed_packages/installed_packages_replica0.log.gz, we have 10.6.1 dogtag packages:
pki-base-10.6.1-1.fc27.noarch pki-base-java-10.6.1-1.fc27.noarch pki-ca-10.6.1-1.fc27.noarch pki-kra-10.6.1-1.fc27.noarch pki-server-10.6.1-1.fc27.noarch pki-symkey-10.6.1-1.fc27.x86_64 pki-tools-10.6.1-1.fc27.x86_64 .. nss-3.36.1-1.1.fc27.x86_64 nss-pem-1.0.3-6.fc27.x86_64 nss-softokn-3.36.1-1.0.fc27.x86_64 nss-softokn-freebl-3.36.1-1.0.fc27.x86_64 nss-sysinit-3.36.1-1.1.fc27.x86_64 nss-tools-3.36.1-1.1.fc27.x86_64 nss-util-3.36.1-1.0.fc27.x86_64
Released as freeipa-server 4.6.90pre2.
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.