ipa-kra-install fails when using pki-kra 10.3.0-a1-2 #2367

pki-bot · 2020-10-03T01:12:29Z

This issue was migrated from Pagure Issue #2247. Originally filed by mbabinsk (@martbab) on 2016-03-29 14:23:35:

Closed as Fixed
Assigned to edewata (@edewata)
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1301546

When setting up KRA subsystem clone on FreeIPA replica using ipa-kra-install, then installation fails with the following error:

[root@replica1 ~]# ipa-kra-install 
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: creating installation admin user
  [2/8]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

In the installation log, the following error can be found:

2016-03-29T12:10:20Z DEBUG Starting external process
2016-03-29T12:10:20Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4
2016-03-29T12:10:22Z DEBUG Process finished, return code=1
2016-03-29T12:10:22Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20160329121020.log
Loading deployment configuration from /tmp/tmp5aWeE4.
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

Installation failed.


2016-03-29T12:10:22Z DEBUG stderr=IncorrectPasswordException: Incorrect client security database password.

The pki-kra-spawn log contains the following:

2016-03-29 12:10:22 pkispawn    : INFO     ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_WEB_SERVER_TYPE]' ==> 'tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_USER]' ==> 'pkiuser'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_GROUP]' ==> 'pkiuser'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_NAME]' ==> 'pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_PATH]' ==> '/var/lib/pki/pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_INSTANCE_INITSCRIPT]' ==> '/var/lib/pki/pki-tomcat/pki-tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_LOCKDIR]' ==> '/var/lock/pki/tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_PIDDIR]' ==> '/var/run/pki/tomcat'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[PKI_UNSECURE_PORT]' ==> '8080'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... slot substitution: '[TOMCAT_PIDFILE]' ==> '/var/run/pki/tomcat/pki-tomcat.pid'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
2016-03-29 12:10:22 pkispawn    : INFO     ... generating 'pki.server.deployment.scriptlets.security_databases'
2016-03-29 12:10:22 pkispawn    : INFO     ....... generating '/etc/pki/pki-tomcat/pfile'
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/password.conf'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 660 /etc/pki/pki-tomcat/password.conf
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/password.conf
2016-03-29 12:10:22 pkispawn    : INFO     ....... Security databases '/etc/pki/pki-tomcat/alias/cert8.db', '/etc/pki/pki-tomcat/alias/key3.db', and/or '/etc/pki/pki-tomcat/alias/secmod.db' already exist!
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/cert8.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/cert8.db
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/key3.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/key3.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/key3.db
2016-03-29 12:10:22 pkispawn    : INFO     ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db'
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chmod 600 /etc/pki/pki-tomcat/alias/secmod.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ........... chown 17:17 /etc/pki/pki-tomcat/alias/secmod.db
2016-03-29 12:10:22 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2016-03-29 12:10:22 pkispawn    : DEBUG    ....... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/tmpfivCZ2', '--pkcs12-password-file', '/tmp/tmpfXzW3F/password.txt', '--no-user-certs']' returned non-zero exit status 255
2016-03-29 12:10:22 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 524, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 128, in spawn
    no_user_certs=True)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)

Steps to reproduce:

1.) setup a FreeIPA master w/ KRA

2.) install a replica with CA

3.) install KRA on the replica

Expected results:

KRA is installed and functional

Actual results:

KRA clone installation fails

The text was updated successfully, but these errors were encountered:

pki-bot · 2020-10-03T01:12:31Z

Comment from mbabinsk (@martbab) at 2016-03-29 14:26:10

attachment
kra_logs.zip

pki-bot · 2020-10-03T01:12:31Z

Comment from edewata (@edewata) at 2016-03-30 22:49:09

Fixed in master:

Note that there is another error similar to ticket 2226 that blocks KRA installation on IPA replica.

pki-bot · 2020-10-03T01:12:32Z

Comment from mbabinsk (@martbab) at 2017-02-27 14:06:08

Metadata Update from @martbab:

Issue assigned to edewata
Issue set to the milestone: 10.3.0.b1

pki-bot added the Closed: Fixed label Oct 3, 2020

pki-bot added this to the 10.3.0.b1 milestone Oct 3, 2020

pki-bot closed this as completed Oct 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ipa-kra-install fails when using pki-kra 10.3.0-a1-2 #2367

ipa-kra-install fails when using pki-kra 10.3.0-a1-2 #2367

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

ipa-kra-install fails when using pki-kra 10.3.0-a1-2 #2367

ipa-kra-install fails when using pki-kra 10.3.0-a1-2 #2367

Comments

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020