Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca
/var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
admin(a)EXAMPLE.DE password:
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
:
:
Installation failed:
com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException:
Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1
2019-07-17T10:57:43Z CRITICAL See the installation logs and the following
files/directories for more information:
2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat
2019-07-17T10:57:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
660, in __spawn_instance
pki_pin)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn
sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if
I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2.
The client is CentOS 7, ipa 4.6.4-10
Every helpful comment is highly appreciated
Harri