6:14 a.m.
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca
/var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
admin(a)EXAMPLE.DE password:
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
:
:
Installation failed:
com.netscape.certsrv.base.PKIException: Error in populating database: java.io.IOException:
Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit status 1
2019-07-17T10:57:43Z CRITICAL See the installation logs and the following
files/directories for more information:
2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat
2019-07-17T10:57:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
560, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
660, in __spawn_instance
pki_pin)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 166, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn
sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if
I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2.
The client is CentOS 7, ipa 4.6.4-10
Every helpful comment is highly appreciated
Harri
6:53 a.m.
On 7/17/19 1:14 PM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca
/var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
admin(a)EXAMPLE.DE password:
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
:
:
Installation failed:
com.netscape.certsrv.base.PKIException: Error in populating database:
java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit
status 1
2019-07-17T10:57:43Z CRITICAL See the installation logs and the
following files/directories for more information:
2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat
2019-07-17T10:57:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 560, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
660, in __spawn_instance
pki_pin)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 166, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn
sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or
directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if
I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2.
The client is CentOS 7, ipa 4.6.4-10
Hi,
your issue looks very similar to #7608 FreeIPA 4.6.3 install fails when
`/proc/sys/crypto` is absent [1] which was fixed in ipa 4.7.1.
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7608
Every helpful comment is highly appreciated
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
6:55 a.m.
Harald Dunkel via FreeIPA-users wrote:
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca
/var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
admin(a)EXAMPLE.DE password:
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
:
:
Installation failed:
com.netscape.certsrv.base.PKIException: Error in populating database:
java.io.IOException: Failed to setup the replication for cloning.
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2019-07-17T10:57:43Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl',
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
2019-07-17T10:57:43Z CRITICAL Failed to configure CA instance: Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpZihcFT' returned non-zero exit
status 1
2019-07-17T10:57:43Z CRITICAL See the installation logs and the
following files/directories for more information:
2019-07-17T10:57:43Z CRITICAL /var/log/pki/pki-tomcat
2019-07-17T10:57:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 570, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 560, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
660, in __spawn_instance
pki_pin)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 166, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 406, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
[root@ipa5 pki-tomcat]# sysctl crypto.fips_enabled -bn
sysctl: cannot stat /proc/sys/crypto/fips_enabled: No such file or
directory
sysctl returns the same error on the host.
This crypto.fips_enabled appears to be something optional, so I wonder if
I could tell ipa-replica-install in advance?
The host is running Debian 9.9 and kernel 4.9.168-1+deb9u2.
The client is CentOS 7, ipa 4.6.4-10
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+
according to git tag.
rob
6:59 a.m.
Hi Rob,
On 7/17/19 1:55 PM, Rob Crittenden via FreeIPA-users wrote:
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+
according to git tag.
I applied the patch I found in the dogtag ticket to
/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py
in Centos 7 (pki-server-10.5.9-13). The error message about crypto.fips_enabled
is gone.
Regards
Harri
1738
days inactive
1745
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Florence Blanc-Renaud -
Harald Dunkel -
Rob Crittenden