ipa-kra-install fails with cert caSigningCert cert-pki-ca already exists
[1/10]: creating installation admin user [2/10]: configuring KRA instance Failed to configure KRA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmpb5m3axzr'] returned non-zero exit status 1: 'WARNING: cert caSigningCert cert-pki-ca already exists\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed.
install is ok
freeipa-server-4.6.90.pre2-3.fc28.x86_64 freeipa-client-4.6.90.pre2-3.fc28.x86_64 389-ds-base-1.4.0.11-2.fc28.x86_64 pki-ca-10.6.1-3.fc28.noarch pki-kra-10.6.1-3.fc28.noarch
tomcat log
2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] FINE: Server certificate: 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] FINE: - subject: CN=vm-171-023.abc.idm.lab.eng.brq.redhat.com,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] FINE: - issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] WARNING: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] WARNING: updateNumberRange: Attempting to contact master using EE port 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] INFO: ConfigurationUtils: POST https://vm-171-023.abc.idm.lab.eng.brq.redhat.com:443/kra/ee/kra/updateNumberRange 2018-07-27 09:00:23 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: HTTP 404 Not Found javax.ws.rs.NotFoundException: HTTP 404 Not Found at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:201) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:174) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:473) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.post(ClientInvocationBuilder.java:201) at com.netscape.certsrv.client.PKIConnection.post(PKIConnection.java:509) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:254) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.updateNumberRange(ConfigurationUtils.java:676) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.getConfigEntriesFromMaster(ConfigurationUtils.java:573) at org.dogtagpki.server.rest.SystemConfigService.configureClone(SystemConfigService.java:833) at org.dogtagpki.server.rest.SystemConfigService.configureSubsystem(SystemConfigService.java:981) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:150) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:107) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Test which fails are on this issue: installation_TestInstallWithCA_KRA2 http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/18477354-917b-11e8-8e1b-fa163edbadcd/report.html installation_TestInstallWithCA_KRA_DNS2 http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/1cfd31e0-917b-11e8-a85a-fa163ec22b3d/
snipped from KRA debug log:
2018-07-27 10:59:06 [https-jsse-nio-8443-exec-20] INFO: ConfigurationUtils: POST https://replica0.ipa.test:443/kra/admin/kra/updateNumberRange 2018-07-27 10:59:06 [https-jsse-nio-8443-exec-20] FINE: Server certificate: 2018-07-27 10:59:06 [https-jsse-nio-8443-exec-20] FINE: - subject: CN=replica0.ipa.test,O=IPA.TEST 2018-07-27 10:59:06 [https-jsse-nio-8443-exec-20] FINE: - issuer: CN=Certificate Authority,O=IPA.TEST 2018-07-27 10:59:06 [https-jsse-nio-8443-exec-20] FINE: content from admin interface =<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>Error: Failed to update number range.</Error></XMLResponse> 2018-07-27 10:59:07 [https-jsse-nio-8443-exec-20] FINE: updateNumberRange(): status=1 2018-07-27 10:59:07 [https-jsse-nio-8443-exec-20] SEVERE: Configuration failed: Error: Failed to update number range. java.io.IOException: Error: Failed to update number range.
I think we need input from @ftweedal or @edewata
I'll try and reproduce tomorrow, and if successful pursue the fix.
Was not able to reproduce. I will now have a closer look at logs. It may be a replication race caused by slow CI environment.
On further investigation it doesn't seem to be a race. Rather we see in the log for replica0.ipa.test (the master the clone-in-progress is contacting):
replica0.ipa.test
2018-07-27 10:59:06 [ajp-nio-127.0.0.1-8009-exec-1] FINE: Repository:In getTheSerialNumber 2018-07-27 10:59:06 [ajp-nio-127.0.0.1-8009-exec-1] FINE: UpdateNumberRange: Failed to update number range: java.lang.NullPointerException 2018-07-27 10:59:06 [ajp-nio-127.0.0.1-8009-exec-1] WARNING: java.lang.NullPointerException at java.math.BigInteger.compareTo(BigInteger.java:3519) at com.netscape.cms.servlet.csadmin.UpdateNumberRange.process(UpdateNumberRange.java:190)
From reading the code, the only way I can see how this would arise is when the master's request range configuration is messed up, with "last serial number" >= "max serial number". The logs do not support this, but then again, the logs do not necessarily tell the whole story. I have a theory about how this is happening. I need to test the theory, and if substantiated it would be a complex issue to fix.
The theory is:
updateNumberRange
The workaround implied by this theory is to create all clones from the original master. Of course, we must support creating clones from clones and that is what this test is checking, so we still have to fix it.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
I'm pushing this to 4.7 backlog unless you'll be able to solve it in upcoming week(s).
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.7 backlog
@abbra: I'm working on it; hold off a couple of days and we'll see how I go.
Dogtag ticket: https://pagure.io/dogtagpki/issue/3055
Metadata Update from @ftweedal: - Custom field blockedby adjusted to https://pagure.io/dogtagpki/issue/3055
PR: https://github.com/dogtagpki/pki/pull/40
master:
ipa-4-7:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
I am re-opening the issue as the above commit only marks the tests as known failure. We are still waiting for a fix on dogtag side and will need to bump pki version when the fix is available.
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
Fix was pushed to Dogtag master:
* 128628693d51adf753750f7ac1307ec246822db9 Add missing synchronisation for range management * 44be5837503efa4b2b44718379ebaebcebd805ab UpdateNumberRange: improve logging, add commentary * 925ef2637f01d5aff0306d9b70c8a6b916d8b74e checkRange: small refactor and add commentary * 3b57d324ed9eea61b828aea4801ac7abe8139859 rename method getTheSerialNumber -> peekNextSerialNumber * 8011d2d74ad40142b1762e514d3db58d69fb89b0 Repository: handle depleted range in initCache() * b5ddac86a266bbb9dbd3cb70c70c9de0b2dcc0e7 getTheSerialNumber: only return null if next range not available
After we cut a Dogtag release with these fixes we can bump the dep, restore the test, and close this issue.
Dogtag v10.6.7 was tagged (ee92a50f47652b56320a5faf78a3f443faef3b15) but no build yet.
v10.6.7
pki-core-10.6.7-1 is now in updates-testing for f28 and f29. PR: https://github.com/freeipa/freeipa/pull/2436
pki-core-10.6.7-1
f28
f29
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2436
@ftweedal What's the status of the update? https://bodhi.fedoraproject.org/updates/FEDORA-2018-83e180a755 is blocked by a failing integration test.
I have build 10.6.7 on COPR and ran into https://pagure.io/dogtagpki/issue/3073. I have now removed the 10.6.7 build and gave negative Karma to the update. We have to wait for 10.6.8.
Thanks for the update (and the Dogtag patch!) @cheimes.
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.