Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg Directory Manager (existing master) password:
Run connection check to master admin@EXAMPLE.DE password: Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root : : Installation failed: com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1 2019-07-17T10:57:43Z CRITICAL See the installation logs and the following files/directories for more information: 2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat 2019-07-17T10:57:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 660, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2. The client is CentOS 7, ipa 4.6.4-10
Every helpful comment is highly appreciated Harri
On 7/17/19 1:14 PM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg Directory Manager (existing master) password:
Run connection check to master admin@EXAMPLE.DE password: Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root : : Installation failed: com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1 2019-07-17T10:57:43Z CRITICAL See the installation logs and the following files/directories for more information: 2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat 2019-07-17T10:57:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 660, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2. The client is CentOS 7, ipa 4.6.4-10
Hi, your issue looks very similar to #7608 FreeIPA 4.6.3 install fails when `/proc/sys/crypto` is absent [1] which was fixed in ipa 4.7.1.
HTH, Flo
[1] https://pagure.io/freeipa/issue/7608
Every helpful comment is highly appreciated Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Harald Dunkel via FreeIPA-users wrote:
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg Directory Manager (existing master) password:
Run connection check to master admin@EXAMPLE.DE password: Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root : : Installation failed: com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1 2019-07-17T10:57:43Z CRITICAL See the installation logs and the following files/directories for more information: 2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat 2019-07-17T10:57:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 660, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2. The client is CentOS 7, ipa 4.6.4-10
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+ according to git tag.
rob
Hi Rob,
On 7/17/19 1:55 PM, Rob Crittenden via FreeIPA-users wrote:
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+ according to git tag.
I applied the patch I found in the dogtag ticket to
/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py
in Centos 7 (pki-server-10.5.9-13). The error message about crypto.fips_enabled is gone.
Regards Harri
freeipa-users@lists.fedorahosted.org