[Freeipa-users] setting up a new CA replica in LXC failed

Hi folks, installing a new ca replica in an LXC container failed with [root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca /var/lib/ipa/replica-info-ipa5.example.de.gpg Directory Manager (existing master) password: Run connection check to master admin(a)EXAMPLE.DE password: Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root : : Installation failed: com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException: Failed to setup the replication for cloning. Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! 2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1 2019-07-17T10:57:43Z CRITICAL See the installation logs and the following files/directories for more information: 2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat 2019-07-17T10:57:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 570, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 560, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 660, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 406, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) [root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory sysctl returns the same error on the host. This crypto.fips_enabled appears to be something optional, so I wonder if I could tell ipa-replica-install in advance? The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2. The client is CentOS 7, ipa 4.6.4-10 Every helpful comment is highly appreciated Harri