Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1114127
Description of problem: I'm seeing ipa-server-install failures configuring the CA. Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-gTN63u -client_certdb_pwd XXXXXXXX -preop_pin 8IhRgvChTfGUEzvFqteh -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd 03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit status 255 Configuration of CA failed Version-Release number of selected component (if applicable): ipa-server-3.0.0-39.el6.x86_64 pki-ca-9.0.3-32.el6.noarch How reproducible: Unknown. Steps to Reproduce: 1. ipa-server-install -r <REALM> -p Secret123 -a Secret123 -U Actual results: Failure listed above. Expected results: No failure and IPA installs cleanly. Additional info: Problem is we cannot reproduce this outside on an automated environment that generates and builds the VM it's failing on. If the VM is manually created (from the same image) it's not failing. I do not know the host systems in the two cases. ipaserver-install.log: 2014-06-27T19:42:10Z DEBUG Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds 2014-06-27T19:42:10Z DEBUG [1/21]: creating certificate server user 2014-06-27T19:42:10Z DEBUG ca user pkiuser exists 2014-06-27T19:42:10Z DEBUG duration: 0 seconds 2014-06-27T19:42:10Z DEBUG [2/21]: creating pki-ca instance 2014-06-27T19:43:59Z DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy 2014-06-27T19:43:59Z DEBUG stdout=PKI instance creation Utility ... Capturing installation information in /var/log/pki-ca-install.log PKI instance creation completed ... Installation information recorded in /var/log/pki-ca-install.log. Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https://pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445/ ca/admin/console/config/login?pin=pVNJx5tI2e9laIPwyV8w After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2014-06-27T19:43:59Z DEBUG stderr= 2014-06-27T19:43:59Z DEBUG duration: 109 seconds 2014-06-27T19:43:59Z DEBUG [3/21]: configuring certificate server instance 2014-06-27T19:44:00Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX -preop_pin pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd 03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false 2014-06-27T19:44:00Z DEBUG stdout=libpath=/usr/lib64 ####################################################################### CRYPTO INIT WITH CERTDB:/tmp/tmp-TpgvUw tokenpwd:XXXXXXXX ############################################# Attempting to connect to: pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ####################################################################### 2014-06-27T19:44:00Z DEBUG stderr=Exception: Unable to Send Request:java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5991) I/O function error. --> java.net.SocketException: Connection reset java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5991) I/O function error. --> java.net.SocketException: Connection reset at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruc torAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delegating ConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at org.mozilla.jss.ssl.SocketBase.processExceptions(SocketBase.java:401) at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) at HTTPClient.sslConnect(HTTPClient.java:331) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) 2014-06-27T19:44:00Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX -preop_pin pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd 03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit status 255 2014-06-27T19:44:00Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2014-06-27T19:44:00Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.