On 05/03/2018 08:27 AM, Kees Bakker via FreeIPA-users wrote:
On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote:
> Hey,
>
> Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
> It fails setting up the certificate server (pki-tomcatd).
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/28]: configuring certificate server instance
> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA',
'-f', '/tmp/tmp5ejwx5'] returned non-zero exit status 1:
u"pkispawn : ERROR ....... subprocess.CalledProcessError: Command
'['sysctl', 'crypto.fips_enabled', '-bn']' returned
non-zero exit status 255!\npkispawn : ERROR ........... server did not start after
60s\npkispawn : ERROR ....... server failed to restart\n")
> ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the
following files/directories for more information:
> ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> ipapython.admintool: ERROR CA configuration failed.
> ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
>
> The failing command is: sysctl crypto.fips_enabled -bn
> On my system there is no /proc/sys/crypto.
>
> BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
> That should not matter, because none of my Ubuntu systems (16.04 and 18.04)
> have /proc/sys/crypto.
>
> The problem seems to be in pki/server/deployment/pkihelper.py
> When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled or even
/proc/sys/crypto
> it raises an exception.
>
> Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be
> used in pkihelper.py ?
I see this same error running the `fedora-27` Docker container (FreeIPA
4.6.3) on CoreOS Container Linux, which also doesn't have
/proc/sys/crypto. I went ahead and filed an issue on Pagure [1].
Is this a known issue? Maybe nobody is trying to run v. 4.6 outside of
a F27 on bare metal environment?
Thanks-
John
[1]:
https://pagure.io/freeipa/issue/7608
>
> As a workaround I applied this patch
> --- pkihelper.py.orig 2018-04-25 07:00:08.000000000 +0000
> +++ pkihelper.py 2018-05-03 12:51:19.034143214 +0000
> @@ -2304,11 +2304,10 @@
> extra=config.PKI_INDENTATION_LEVEL_3)
> return False
> except subprocess.CalledProcessError as exc:
> - config.pki_log.error(
> - log.PKI_SUBPROCESS_ERROR_1, exc,
> - extra=config.PKI_INDENTATION_LEVEL_2)
> - if critical_failure:
> - raise
> + config.pki_log.info(
> + log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED,
> + extra=config.PKI_INDENTATION_LEVEL_3)
> + return False
> except OSError as exc:
> config.pki_log.error(
> log.PKI_OSERROR_1, exc,
>
> But now the pki-tomcat configuration still fails, with what looks like a tomcat
> version conflict.
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/28]: configuring certificate server instance
> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance:
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA',
'-f', '/tmp/tmpN1J9l_'] returned non-zero exit status 1: u'pkispawn
: ERROR ........... server did not start after 60s\npkispawn : ERROR .......
server failed to restart\n')
> ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the
following files/directories for more information:
> ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> ipapython.admintool: ERROR CA configuration failed.
> ipapython.admintool: ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
>
> root@usrv1:~# grep java.io.FileNotFoundException
/var/log/pki/pki-tomcat/catalina.out
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such
file or directory)
> java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or
directory)
> java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or
directory)
>
> root@usrv1:~# ls -l /usr/share/java/tomcat*anno*
> -rw-r--r-- 1 root root 12389 Apr 19 11:53
/usr/share/java/tomcat8-annotations-api-8.5.30.jar
> lrwxrwxrwx 1 root root 34 Apr 19 11:53 /usr/share/java/tomcat8-annotations-api.jar
-> tomcat8-annotations-api-8.5.30.jar
> root@usrv1:~# ls -l /usr/share/java/el-api*
> -rw-r--r-- 1 root root 81242 Apr 19 11:53 /usr/share/java/el-api-3.0.jar
> root@usrv1:~# ls -l /usr/share/java/oscach*
> ls: cannot access '/usr/share/java/oscach*': No such file or directory
>