In testing_master_latest Nightly PR #295 CA install failed: logs
[ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] [4/29]: creating installation admin user [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] [5/29]: configuring certificate server instance [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n subsystem.update_ranges(master_url, deployer.install_token)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n request_range = self.request_range(master_url, \'request\', install_token)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n output = subprocess.check_output(cmd)\n File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] [error] RuntimeError: CA configuration failed. [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] CA configuration failed. [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Your system may be partly configured. [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Run /usr/sbin/ipa-server-install --uninstall to clean up. [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] [ipatests.pytest_ipa.integration.host.Host.replica0.cmd57] Exit code: 1 ipa: ERROR: stderr: ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpopcr3_on'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nPKIException: Internal Server Error\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-U\', \'https://master.ipa.test:443\', \'ca-range-request\', \'request\', \'--session\', \'1989201132665237160\', \'--output-format\', \'json\']\' returned non-zero exit status 255.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 575, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 854, in spawn\n subsystem.update_ranges(master_url, deployer.install_token)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 975, in update_ranges\n request_range = self.request_range(master_url, \'request\', install_token)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 967, in request_range\n output = subprocess.check_output(cmd)\n File "/usr/lib64/python3.8/subprocess.py", line 411, in check_output\n return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat CA configuration failed.
PKI logs contain:
'['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://master.ipa.test:443', 'ca-range-request', 'request', '--session', '1989201132665237160', '--output-format', 'json']' returned non-zero exit status 255.
Also happens in test_backup_and_restore: testing_ipa-4.8_latest Nightly PR #296, logs
Also in test_replication_layouts.py::TestCompleteTopologyWithCAKRA::test_complete_topology_with_ca_kra testing_master_389ds Nightly PR #299, report
I hit an issue like this a few weeks ago. But now I cannot remember the details or how I resolved it. If I remember anything I will add details here.
@fcami now I remember what happened...
See this part of the output:
WARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists
It is a red herring. I now recall that I spent a substantial time investigating the above, but it turned out to be harmless and unrelated to the actual failure.
And what was the actual failure. Well, it is unrelated to your failure here - my devel build of Dogtag was at a bad commit where some Java SystemConfigService changes had been committed, but the corresponding Python pkispawnchanges had not yet been committed, breaking pkispawn.
SystemConfigService
pkispawn
So, I do not have any good tips for solving the current problem - except that you can ignore that LDAP error. Reach out to the Dogtag team if you need help analysing the issue.
Thanks @ftweedal I've reached out to @dmoluguw , we will sort it out.
I think the CA debug log needs to be collected to diagnose this.
dogtagpki issue opened at #3182 The logs on the master show a servlet initialization failure with
access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/pki/WEB-INF/lib/slf4j-jdk14.jar" "read")
Another failure: PR381, logs
Duplicate of https://pagure.io/freeipa/issue/8476, CA or KRA installation fails on a replica with java.io.FilePermission reported on the master.
Metadata Update from @frenaud: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.