On 11.12.2020 14.58, iulian roman via FreeIPA-users wrote:
Hi Timo,
Thanks for the update. I have tried with new package versions (there is a dependency as
well on libjboss-annotations-1.2-api-java which needs to be installed from freeipa staging
ppa) , but the installation fails in the same step (it fails to configure/start the CA):
2020-12-11T12:49:09Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
pkispawn : ERROR ........... server did not start after 60s
pkispawn : ERROR ....... server failed to restart
2020-12-11T12:49:09Z CRITICAL Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp9GMIPC'] returned non-zero exit status 1: u"pkispawn : ERROR
....... subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status
255!\npkispawn : ERROR ........... server did not start after 60s\npkispawn :
ERROR ....... server failed to restart\n")
2020-12-11T12:49:09Z CRITICAL See the installation logs and the following
files/directories for more information:
2020-12-11T12:49:09Z CRITICAL /var/log/pki/pki-tomcat
2020-12-11T12:49:09Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
603, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
589, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py",
line 696, in __spawn_instance
pki_pin)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py",
line 167, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py",
line 415, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2020-12-11T12:49:09Z DEBUG [error] RuntimeError: CA configuration failed.
2020-12-11T12:49:09Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
Any idea how that can be fixed ?
I guess you got hit by the openjdk8 update as well, so downgrade it by
running 'apt install openjdk-8-jre-headless=8u162-b12-1' and then try again.
I've managed to get the server working on 20.04 (without bind9) but
updating java breaks it there too, and while bumping libjss to current
v4.6.x branch should help it only fails the setup later (requesting RA
cert).
And the breakage with current packages in Debian unstable is probably
caused by making Dogtag 10.10 to essentially require system-wide
crypto-policies which aren't used on Debian...
--
t