freeipa

Clone
Source Code
GIT

#8418 freeipa setup fails on new centos8 server
Closed: fixed 3 years ago by maverickws. Opened 3 years ago by maverickws.

Closed: fixed
Reopen Issue

Issue

Installing new freeipa server (master) on a brand new CentOS8 install fails.

# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="8"

Steps to Reproduce

  1. CentOS 8 minimal install
  2. Edit the hosts file properly
  3. dnf update / enable idm:DL1 / install idm:DL1/{dns,adtrust}
  4. ipa-server-install

Actual behavior

# ipa-server-install --allow-zone-overlap

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.4

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [id01.domain.io]: 

Warning: skipping DNS resolution of host id01.domain.io
The domain name has been determined based on the host name.

Please confirm the domain name [domain.io]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [DOMAIN.IO]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

Checking DNS domain domain.io., please wait ...
DNS zone domain.io. already exists in DNS and is handled by server(s): main.domain.io. Please make sure that the domain is properly delegated to this IPA server.
No network interface matches the IP address 195.101.11x.xx
WARNING: No network interface matches the IP address 195.101.11x.xx
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: 
Reverse record for IP address 195.101.11x.xx already exists
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 
Enter a NTP source pool address, or press Enter to skip: 0.europe.pool.ntp.org,1.europe.pool.ntp.org

The IPA Master Server will be configured with:
Hostname:       id01.domain.io
IP address(es): 195.101.11x.xx
Domain name:    domain.io
Realm name:     DOMAIN.IO

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=DOMAIN.IO
Subject base: O=DOMAIN.IO
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       No forwarders
Forward policy:   first
Reverse zone(s):  No reverse zone

NTP pool:   0.europe.pool.ntp.org,1.europe.pool.ntp.org
Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Disabled p11-kit-proxy
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: configure autobind for root
  [3/44]: stopping directory server
  [4/44]: updating configuration in dse.ldif
  [5/44]: starting directory server
  [6/44]: adding default schema
  [7/44]: enabling memberof plugin
  [8/44]: enabling winsync plugin
  [9/44]: configure password logging
  [10/44]: configuring replication version plugin
  [11/44]: enabling IPA enrollment plugin
  [12/44]: configuring uniqueness plugin
  [13/44]: configuring uuid plugin
  [14/44]: configuring modrdn plugin
  [15/44]: configuring DNS plugin
  [16/44]: enabling entryUSN plugin
  [17/44]: configuring lockout plugin
  [18/44]: configuring topology plugin
  [19/44]: creating indices
  [20/44]: enabling referential integrity plugin
  [21/44]: configuring certmap.conf
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache and keytab
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: adding sasl mappings to the directory
  [27/44]: adding default layout
  [28/44]: adding delegation layout
  [29/44]: creating container for managed entries
  [30/44]: configuring user private groups
  [31/44]: configuring netgroups from hostgroups
  [32/44]: creating default Sudo bind user
  [33/44]: creating default Auto Member layout
  [34/44]: adding range check plugin
  [35/44]: creating default HBAC rule allow_all
  [36/44]: adding entries for topology management
  [37/44]: initializing group membership
  [38/44]: adding master entry
  [39/44]: initializing domain level
  [40/44]: configuring Posix uid/gid generation
  [41/44]: adding replication acis
  [42/44]: activating sidgen plugin
  [43/44]: activating extdom plugin
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwiwxs5ey'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n    request_timeout=status_request_timeout,\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup\n    (subsystem.type, timeout)) from exc\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected behavior

install to finish successfully

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64
pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch
krb5-server-1.17-18.el8.x86_64

Additional info:

Clean install.
I repeated the process three times

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

Logs at /var/log/pki/ are empty don't have any errors.
/var/log/ipaserver-install.log

2020-07-17T11:08:06Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 188, in spawn_instance
    ipautil.run(args, nolog=nolog_list)
  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
    p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwiwxs5ey'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n    request_timeout=status_request_timeout,\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup\n    (subsystem.type, timeout)) from exc\n\n')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance
    nolog_list=nolog_list
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 190, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 423, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2020-07-17T11:08:06Z DEBUG   [error] RuntimeError: CA configuration failed.
2020-07-17T11:08:06Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2020-07-17T11:08:06Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 564, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 891, in install
    ca.install_step_0(False, None, options, custodia=custodia)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0
    pki_config_override=options.pki_config_override,
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 480, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance
    nolog_list=nolog_list
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 190, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 423, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2020-07-17T11:08:06Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2020-07-17T11:08:06Z ERROR CA configuration failed.
2020-07-17T11:08:06Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Please upload the pki-ca-spawn log from /var/log/pki and check journalctl messages related to Java, Tomcat, and pki-tomcatd@pki-tomcat.service.

/var/log/pki/pki-ca-spawn.20200717120639.log

2020-07-17 12:08:06 ERROR: Exception: CA subsystem did not start after 60s
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn
    request_timeout=status_request_timeout,
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 920, in wait_for_startup
    (subsystem.type, timeout)) from exc

# journalctl -xeu pki-tomcatd@pki-tomcat.service

-- Logs begin at Fri 2020-07-17 11:46:05 WEST, end at Fri 2020-07-17 12:33:01 WEST. --
Jul 17 12:07:05 id01.issc.io systemd[1]: Starting PKI Tomcat Server pki-tomcat...
-- Subject: Unit pki-tomcatd@pki-tomcat.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit pki-tomcatd@pki-tomcat.service has begun starting up.
Jul 17 12:07:06 id01.issc.io pki-server[48378]: ----------------------------
Jul 17 12:07:06 id01.issc.io pki-server[48378]: pki-tomcat instance migrated
Jul 17 12:07:06 id01.issc.io pki-server[48378]: ----------------------------
Jul 17 12:07:06 id01.issc.io systemd[1]: Started PKI Tomcat Server pki-tomcat.
-- Subject: Unit pki-tomcatd@pki-tomcat.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit pki-tomcatd@pki-tomcat.service has finished starting up.
-- 
-- The start-up result is done.
Jul 17 12:07:06 id01.issc.io server[48492]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Jul 17 12:07:06 id01.issc.io server[48492]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Jul 17 12:07:06 id01.issc.io server[48492]: main class used: org.apache.catalina.startup.Bootstrap
Jul 17 12:07:06 id01.issc.io server[48492]: flags used:
Jul 17 12:07:06 id01.issc.io server[48492]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomca>
Jul 17 12:07:06 id01.issc.io server[48492]: arguments used: start

# pwd
/var/log/pki/pki-tomcat
# ls -l
total 0
drwxrwx---. 4 pkiuser pkiuser 102 Jul 17 12:07 ca
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 17 12:06 catalina.2020-07-17.log
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 17 12:06 host-manager.2020-07-17.log
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 17 12:06 localhost.2020-07-17.log
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 17 12:07 localhost_access_log.2020-07-17.txt
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 17 12:06 manager.2020-07-17.log
drwxr-xr-x. 2 pkiuser pkiuser  34 Jul 17 12:07 pki
#

/var/log/pki/pki-tomcat/ca/debug.2020-07-17.log

2020-07-17 12:07:10 [main] INFO: CMSEngine: Initializing authz subsystem
2020-07-17 12:07:10 [main] INFO: AAclAuthz: group evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: ipaddress evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: user evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: user_origreq evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: initialization done
2020-07-17 12:07:10 [main] INFO: BasicAclAuthz: initialization done
2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz manager instance BasicAclAuthz added
2020-07-17 12:07:10 [main] INFO: AAclAuthz: group evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: ipaddress evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: user evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: user_origreq evaluator registered
2020-07-17 12:07:10 [main] INFO: AAclAuthz: initialization done
2020-07-17 12:07:10 [main] INFO: DirAclAuthz: found cn=aclResources,o=ipaca
2020-07-17 12:07:10 [main] INFO: DirAclAuthz: initialization done
2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added
2020-07-17 12:07:10 [main] INFO: AuthzSubsystem: authz initialization done.
2020-07-17 12:07:10 [main] INFO: CMSEngine: Initializing jobsScheduler subsystem
2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring auto shutdown
2020-07-17 12:07:10 [main] WARNING: CMSEngine: Unable to support auto-shutdown: Certificate not found: auditSigningCert cert-pki-tomcat
2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring servlet certificate nickname
2020-07-17 12:07:10 [main] INFO: CMSEngine: Configuring excluded LDAP attributes
2020-07-17 12:07:10 [main] INFO: ServerXml: Parsing /var/lib/pki/pki-tomcat/conf/server.xml
2020-07-17 12:07:10 [main] INFO: ServerXml: Unsecure port: 8080
2020-07-17 12:07:10 [main] INFO: ServerXml: Secure port: 8443
2020-07-17 12:07:10 [main] INFO: RequestSubsystem: Request subsystem started
2020-07-17 12:07:10 [main] INFO: LDAPProfileSubsystem: startup
2020-07-17 12:07:10 [main] INFO: CA subsystem started

last entries on journalctl: https://pastebin.com/Sn3YPzVC
Edited 3 years ago by maverickws

Hi,

Ok so the issue I had was related to the network config.
I was using such setup where the machine had an internal IP and there was an 1:1 NAT from the public address assigned.

The solution was to add the ip and subnet mask to the interface, so it had both configured: the internal ip and the external ip.

Afterwards I installed with no problems.

Thank you!

Metadata Update from @maverickws:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.