Dear,
with my best effort I am unable tu deploy freeipa on RockyLinux . I would like to know if someone have already try it ?
So bellow you will find commands run from a fresh RockyLinux VM (4Gb ram)
------------------- sed -i -e '/identity.infra.microbiome.studio/d' -e '1i 51.15.228.43 identity.infra.microbiome.studio' /etc/hosts hostnamectl set-hostname identity.infra.microbiome.studio dnf install -y net-tools sslscan firewalld epel-release dnf update -y dnf module enable -y idm:DL1 dnf distro-sync -y dnf install -y ipa-server ipa-server-dns firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent systemctl enable firewalld && systemctl start firewalld && firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent firewall-cmd --reload ipa-server-install --verbose --setup-dns --ntp-pool=pool.ntp.org --ds-password=secret1 --admin-password=secret2 --domain=infra.microbiome.studio --realm=INFRA.MICROBIOME.STUDIO --ip-address=51.15.228.43 -------------------
This should be enough to get freeipa, but ipa-server-install command exit with a time out error after 60 sec with following message: ------------------- The ipa-server-install command failed, exception: RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information -------------------
The corresponding log file do not give more clear reason than a timeout....
it seems that from a vanilla RockyLinux with SeLinux pki do not works well see output:
------------------- systemctl status pki-tomcatd@pki-tomcat.service ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2021-09-09 15:01:00 UTC; 4min 29s ago Process: 72379 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS) Process: 72346 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat (code=exited, status=0/SUCCESS) Process: 72343 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=0/SUCCESS) Main PID: 72469 (java) Tasks: 115 (limit: 23443) Memory: 450.0M CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─72469 /usr/lib/jvm/java-1.8.0-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/a>
sept. 09 15:00:58 identity.infra.microbiome.studio java[72364]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock sept. 09 15:01:00 identity.infra.microbiome.studio systemd[1]: Started PKI Tomcat Server pki-tomcat. sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.j> sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: main class used: org.apache.catalina.startup.Bootstrap sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: flags used: -Dcom.redhat.fips=false sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-> sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: arguments used: start sept. 09 15:01:01 identity.infra.microbiome.studio java[72469]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock sept. 09 15:01:02 identity.infra.microbiome.studio server[72469]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] -------------------
LDAP (389) and web (8080) port seems to be used as expected: ------------------- # netstat -tunelp Connexions Internet actives (seulement serveurs) Proto Recv-Q Send-Q Adresse locale Adresse distante Etat Utilisatr Inode PID/Program name tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 0 109422 72100/kadmind tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 16896 1/systemd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 0 109418 72100/kadmind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 28217 1433/sshd tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 0 111080 72041/krb5kdc tcp6 0 0 127.0.0.1:8005 :::* LISTEN 17 112610 72469/java tcp6 0 0 :::389 :::* LISTEN 0 110760 71946/ns-slapd tcp6 0 0 ::1:8009 :::* LISTEN 17 113337 72469/java tcp6 0 0 127.0.0.1:8009 :::* LISTEN 17 113335 72469/java tcp6 0 0 :::749 :::* LISTEN 0 109423 72100/kadmind tcp6 0 0 :::111 :::* LISTEN 0 16898 1/systemd tcp6 0 0 :::8080 :::* LISTEN 17 113329 72469/java tcp6 0 0 :::464 :::* LISTEN 0 109419 72100/kadmind tcp6 0 0 :::22 :::* LISTEN 0 28219 1433/sshd tcp6 0 0 :::88 :::* LISTEN 0 111081 72041/krb5kdc tcp6 0 0 :::8443 :::* LISTEN 17 113333 72469/java udp 0 0 127.0.0.1:323 0.0.0.0:* 0 105961 71724/chronyd udp 0 0 0.0.0.0:464 0.0.0.0:* 0 109414 72100/kadmind udp 0 0 0.0.0.0:88 0.0.0.0:* 0 111076 72041/krb5kdc udp 0 0 0.0.0.0:111 0.0.0.0:* 0 16897 1/systemd udp6 0 0 ::1:323 :::* 0 105962 71724/chronyd udp6 0 0 :::464 :::* 0 109415 72100/kadmind udp6 0 0 :::88 :::* 0 111077 72041/krb5kdc udp6 0 0 :::111 :::* 0 16899 1/systemd -------------------
389 Directory seems to be ok: ------------------- dsctl INFRA-MICROBIOME-STUDIO status Instance "INFRA-MICROBIOME-STUDIO" is running -------------------
The file /var/lib/pki/pki-tomcat/logs/ca/debug.2021-09-09.log ands with: ------------------- ... 2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added 2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz initialization done. 2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring servlet certificate nickname 2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring excluded LDAP attributes 2021-09-09 15:01:09 [main] INFO: CA engine started -------------------
And /var/lib/pki/pki-tomcat/logs/pki/debug.2021-09-09.log is empty
It seems that they are any ssl certificate into ls /var/lib/pki/pki-tomcat/conf/* ------------------- /var/lib/pki/pki-tomcat/conf/catalina.policy /var/lib/pki/pki-tomcat/conf/logging.properties /var/lib/pki/pki-tomcat/conf/server.xml /var/lib/pki/pki-tomcat/conf/catalina.properties /var/lib/pki/pki-tomcat/conf/password.conf /var/lib/pki/pki-tomcat/conf/tomcat.conf /var/lib/pki/pki-tomcat/conf/context.xml /var/lib/pki/pki-tomcat/conf/serverCertNick.conf /var/lib/pki/pki-tomcat/conf/web.xml
/var/lib/pki/pki-tomcat/conf/alias: ca.crt cert9.db key4.db pkcs11.txt
/var/lib/pki/pki-tomcat/conf/ca: adminCert.profile archives caAuditSigningCert.profile caCert.profile caOCSPCert.profile CS.cfg CS.cfg.bak flatfile.txt proxy.conf registry.cfg serverCert.profile subsystemCert.profile
/var/lib/pki/pki-tomcat/conf/Catalina: localhost -------------------
So what can I to do in order to get freeipa running on RockyLinux ?
Thanks for your help
Have a good day
Jonathan
For records that works if I remove these lines in /etc/crypto-policies/back-ends/nss.config
name=p11-kit-proxy library=p11-kit-proxy.so
Hi,
which versions of 389-ds and nss are installed? You may be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1986327 flo
On Mon, Sep 13, 2021 at 2:57 PM MERCIER Jonathan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
For records that works if I remove these lines in /etc/crypto-policies/back-ends/nss.config
name=p11-kit-proxy library=p11-kit-proxy.so _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Florence Renaud -
MERCIER Jonathan