Dear,
with my best effort I am unable tu deploy freeipa on RockyLinux . I would like to know if someone have already try it ?
So bellow you will find commands run from a fresh RockyLinux VM (4Gb ram)
-------------------
sed -i -e '/identity\.infra\.microbiome\.studio/d' -e '1i 51.15.228.43 identity.infra.microbiome.studio' /etc/hosts
hostnamectl set-hostname identity.infra.microbiome.studio
dnf install -y net-tools sslscan firewalld epel-release
dnf update -y
dnf module enable -y idm:DL1
dnf distro-sync -y
dnf install -y ipa-server ipa-server-dns
firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
systemctl enable firewalld && systemctl start firewalld && firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
firewall-cmd --reload
ipa-server-install --verbose --setup-dns --ntp-pool=pool.ntp.org --ds-password=secret1 --admin-password=secret2 --domain=infra.microbiome.studio --realm=INFRA.MICROBIOME.STUDIO --ip-address=51.15.228.43
-------------------
This should be enough to get freeipa, but ipa-server-install command exit with a time out error after 60 sec with following message:
-------------------
The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
-------------------
The corresponding log file do not give more clear reason than a timeout....
it seems that from a vanilla RockyLinux with SeLinux pki do not works well see output:
-------------------
systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-09-09 15:01:00 UTC; 4min 29s ago
Process: 72379 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS)
Process: 72346 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat (code=exited, status=0/SUCCESS)
Process: 72343 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=0/SUCCESS)
Main PID: 72469 (java)
Tasks: 115 (limit: 23443)
Memory: 450.0M
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─72469 /usr/lib/jvm/java-1.8.0-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/a>
sept. 09 15:00:58 identity.infra.microbiome.studio java[72364]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
sept. 09 15:01:00 identity.infra.microbiome.studio systemd[1]: Started PKI Tomcat Server pki-tomcat.
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.j>
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: main class used: org.apache.catalina.startup.Bootstrap
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: flags used: -Dcom.redhat.fips=false
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki->
sept. 09 15:01:00 identity.infra.microbiome.studio server[72469]: arguments used: start
sept. 09 15:01:01 identity.infra.microbiome.studio java[72469]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
sept. 09 15:01:02 identity.infra.microbiome.studio server[72469]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
-------------------
LDAP (389) and web (8080) port seems to be used as expected:
-------------------
# netstat -tunelp
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat Utilisatr Inode PID/Program name
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 0 109422 72100/kadmind
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 16896 1/systemd
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 0 109418 72100/kadmind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 28217 1433/sshd
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 0 111080 72041/krb5kdc
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 17 112610 72469/java
tcp6 0 0 :::389 :::* LISTEN 0 110760 71946/ns-slapd
tcp6 0 0 ::1:8009 :::* LISTEN 17 113337 72469/java
tcp6 0 0 127.0.0.1:8009 :::* LISTEN 17 113335 72469/java
tcp6 0 0 :::749 :::* LISTEN 0 109423 72100/kadmind
tcp6 0 0 :::111 :::* LISTEN 0 16898 1/systemd
tcp6 0 0 :::8080 :::* LISTEN 17 113329 72469/java
tcp6 0 0 :::464 :::* LISTEN 0 109419 72100/kadmind
tcp6 0 0 :::22 :::* LISTEN 0 28219 1433/sshd
tcp6 0 0 :::88 :::* LISTEN 0 111081 72041/krb5kdc
tcp6 0 0 :::8443 :::* LISTEN 17 113333 72469/java
udp 0 0 127.0.0.1:323 0.0.0.0:* 0 105961 71724/chronyd
udp 0 0 0.0.0.0:464 0.0.0.0:* 0 109414 72100/kadmind
udp 0 0 0.0.0.0:88 0.0.0.0:* 0 111076 72041/krb5kdc
udp 0 0 0.0.0.0:111 0.0.0.0:* 0 16897 1/systemd
udp6 0 0 ::1:323 :::* 0 105962 71724/chronyd
udp6 0 0 :::464 :::* 0 109415 72100/kadmind
udp6 0 0 :::88 :::* 0 111077 72041/krb5kdc
udp6 0 0 :::111 :::* 0 16899 1/systemd
-------------------
389 Directory seems to be ok:
-------------------
dsctl INFRA-MICROBIOME-STUDIO status
Instance "INFRA-MICROBIOME-STUDIO" is running
-------------------
The file /var/lib/pki/pki-tomcat/logs/ca/debug.2021-09-09.log ands with:
-------------------
...
2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added
2021-09-09 15:01:09 [main] INFO: AuthzSubsystem: authz initialization done.
2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring servlet certificate nickname
2021-09-09 15:01:09 [main] INFO: CMSEngine: Configuring excluded LDAP attributes
2021-09-09 15:01:09 [main] INFO: CA engine started
-------------------
And /var/lib/pki/pki-tomcat/logs/pki/debug.2021-09-09.log is empty
It seems that they are any ssl certificate into ls /var/lib/pki/pki-tomcat/conf/*
-------------------
/var/lib/pki/pki-tomcat/conf/catalina.policy /var/lib/pki/pki-tomcat/conf/logging.properties /var/lib/pki/pki-tomcat/conf/server.xml
/var/lib/pki/pki-tomcat/conf/catalina.properties /var/lib/pki/pki-tomcat/conf/password.conf /var/lib/pki/pki-tomcat/conf/tomcat.conf
/var/lib/pki/pki-tomcat/conf/context.xml /var/lib/pki/pki-tomcat/conf/serverCertNick.conf /var/lib/pki/pki-tomcat/conf/web.xml
/var/lib/pki/pki-tomcat/conf/alias:
ca.crt cert9.db key4.db pkcs11.txt
/var/lib/pki/pki-tomcat/conf/ca:
adminCert.profile archives caAuditSigningCert.profile caCert.profile caOCSPCert.profile CS.cfg CS.cfg.bak flatfile.txt proxy.conf registry.cfg serverCert.profile subsystemCert.profile
/var/lib/pki/pki-tomcat/conf/Catalina:
localhost
-------------------
So what can I to do in order to get freeipa running on RockyLinux ?
Thanks for your help
Have a good day
Jonathan