#8422 Multiple similar failures in test_installation.py::TestInstallReplicaAgainstSpecificServer
Opened 4 months ago by fcami. Modified 3 months ago

In testing_master_latest Nightly PR #295 CA install failed:
logs

[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [4/29]: creating installation admin user
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [5/29]: configuring certificate server instance
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n    subsystem.update_ranges(master_url, deployer.install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n    request_range = self.request_range(master_url, \'request\', install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n    output = subprocess.check_output(cmd)\n  File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n  File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n    raise CalledProcessError(retcode, process.args,\n\n')
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57]   [error] RuntimeError: CA configuration failed.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] CA configuration failed.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] 
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Your system may be partly configured.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Run /usr/sbin/ipa-server-install --uninstall to clean up.
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] 
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Exit code: 1
ipa: ERROR: stderr: ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n    subsystem.update_ranges(master_url, deployer.install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n    request_range = self.request_range(master_url, \'request\', install_token)\n  File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n    output = subprocess.check_output(cmd)\n  File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n  File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n    raise CalledProcessError(retcode, process.args,\n\n')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
CA configuration failed.

PKI logs contain:

'['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://master.ipa.test:443', 'ca-range-request', 'request', '--session', '1989201132665237160', '--output-format', 'json']' returned non-zero exit status 255.

Also happens in test_backup_and_restore:
testing_ipa-4.8_latest Nightly PR #296, logs

Also in test_replication_layouts.py::TestCompleteTopologyWithCAKRA::test_complete_topology_with_ca_kra
testing_master_389ds Nightly PR #299, report

I hit an issue like this a few weeks ago. But now I cannot remember the details or how I resolved it. If I remember anything I will add details here.

@fcami now I remember what happened...

See this part of the output:

WARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists

It is a red herring. I now recall that I spent a substantial time investigating the above, but it turned out to be harmless and unrelated to the actual failure.

And what was the actual failure. Well, it is unrelated to your failure here - my devel build of Dogtag was at a bad commit where some Java SystemConfigService changes had been committed, but the corresponding Python pkispawnchanges had not yet been committed, breaking pkispawn.

So, I do not have any good tips for solving the current problem - except that you can ignore that LDAP error. Reach out to the Dogtag team if you need help analysing the issue.

Thanks @ftweedal I've reached out to @dmoluguw , we will sort it out.

I think the CA debug log needs to be collected to diagnose this.

dogtagpki issue opened at #3182
The logs on the master show a servlet initialization failure with

access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/pki/WEB-INF/lib/slf4j-jdk14.jar" "read")

Login to comment on this ticket.

Metadata