This is a clone of ticket #2247 to backport the fix to Dogtag 10.2.x on Fedora 23.
When setting up KRA subsystem clone on FreeIPA replica using ipa-kra-install, then installation fails with the following error:
ipa-kra-install
[root@replica1 ~]# ipa-kra-install Directory Manager password: =================================================================== This program will setup Dogtag KRA for the FreeIPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [1/8]: creating installation admin user [2/8]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. Run ipa-kra-install --uninstall to clean up. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
In the installation log, the following error can be found:
2016-03-29T12:10:20Z DEBUG Starting external process 2016-03-29T12:10:20Z DEBUG args=/usr/sbin/pkispawn -s KRA -f /tmp/tmp5aWeE4 2016-03-29T12:10:22Z DEBUG Process finished, return code=1 2016-03-29T12:10:22Z DEBUG stdout=Log file: /var/log/pki/pki-kra-spawn.20160329121020.log Loading deployment configuration from /tmp/tmp5aWeE4. Installing KRA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg. Installation failed. 2016-03-29T12:10:22Z DEBUG stderr=IncorrectPasswordException: Incorrect client security database password.
The pki-kra-spawn log contains the following:
2016-03-29 12:10:22 pkispawn : INFO ....... copying '/usr/share/pki/setup/pkidaemon_registry' --> '/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat' with slot substitution 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_WEB_SERVER_TYPE]' ==> 'tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_USER]' ==> 'pkiuser' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_GROUP]' ==> 'pkiuser' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_NAME]' ==> 'pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_PATH]' ==> '/var/lib/pki/pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_INSTANCE_INITSCRIPT]' ==> '/var/lib/pki/pki-tomcat/pki-tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_LOCKDIR]' ==> '/var/lock/pki/tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_PIDDIR]' ==> '/var/run/pki/tomcat' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[PKI_UNSECURE_PORT]' ==> '8080' 2016-03-29 12:10:22 pkispawn : DEBUG ........... slot substitution: '[TOMCAT_PIDFILE]' ==> '/var/run/pki/tomcat/pki-tomcat.pid' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat 2016-03-29 12:10:22 pkispawn : INFO ... generating 'pki.server.deployment.scriptlets.security_databases' 2016-03-29 12:10:22 pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/password.conf 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/password.conf 2016-03-29 12:10:22 pkispawn : INFO ....... Security databases '/etc/pki/pki-tomcat/alias/cert8.db', '/etc/pki/pki-tomcat/alias/key3.db', and/or '/etc/pki/pki-tomcat/alias/secmod.db' already exist! 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/cert8.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/cert8.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/cert8.db 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/key3.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/key3.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/key3.db 2016-03-29 12:10:22 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' 2016-03-29 12:10:22 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/secmod.db 2016-03-29 12:10:22 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/secmod.db 2016-03-29 12:10:22 pkispawn : DEBUG ....... Error Type: CalledProcessError 2016-03-29 12:10:22 pkispawn : DEBUG ....... Error Message: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-C', '/etc/pki/pki-tomcat/pfile', 'pkcs12-import', '--pkcs12-file', '/tmp/tmpfivCZ2', '--pkcs12-password-file', '/tmp/tmpfXzW3F/password.txt', '--no-user-certs']' returned non-zero exit status 255 2016-03-29 12:10:22 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 524, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 128, in spawn no_user_certs=True) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 538, in import_pkcs12 subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 540, in check_call raise CalledProcessError(retcode, cmd)
Steps to reproduce:
1.) setup a FreeIPA master w/ KRA
2.) install a replica with CA
3.) install KRA on the replica
Expected results:
KRA is installed and functional
Actual results:
KRA clone installation fails
Fixed in DOGTAG_10_2_5_RHEL_BRANCH:
Checked into DOGTAG_10_2_RHEL_BRANCH:
Spec file changes checked into DOGTAG_10_2_RHEL_BRANCH:
Steps to verify changes:
(1) Install default DS for masters
(2) install second DS for clones using:
pki_ds_ldap_port=10389 pki_ds_ldaps_port=10636
(3) Create 'pki-master-ca.cfg':
# cat /root/pki/pki-master-ca.cfg [DEFAULT] pki_admin_password=Secret123 pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_instance_name=pki-master [CA] pki_ds_base_dn=o=pki-tomcat-CA pki_ds_database=pki-tomcat-CA
(4) Create 'pki-master' CA:
# script -c "pkispawn -s CA -f /root/pki/pki-master-ca.cfg -vvv" /root/typescript.pki-master-ca
(5) Obtain master CA PKCS #12 file with appropriate trust flags set:
# grep "internal=" /var/lib/pki/pki-master/conf/password.conf | awk -F= '{print $2}' > /tmp/master_internal.txt # PKCS12Export -debug -d /var/lib/pki/pki-master/alias -p /tmp/master_internal.txt -o /tmp/ca_backup_keys.p12 -w ~/.dogtag/pki-master/ca/pkcs12_password.conf
(6) Create 'pki-master-kra.cfg':
# cat /root/pki/pki-master-kra.cfg [DEFAULT] pki_admin_password=Secret123 pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_instance_name=pki-master pki_security_domain_password=Secret123 [KRA] pki_ds_base_dn=o=pki-tomcat-KRA pki_ds_database=pki-tomcat-KRA
(7) Create 'pki-master' KRA:
# script -c "pkispawn -s KRA -f /root/pki/pki-master-kra.cfg -vvv" /root/typescript.pki-master-kra
(8) Obtain master KRA PKCS #12 file with appropriate trust flags set:
# PKCS12Export -debug -d /var/lib/pki/pki-master/alias -p /tmp/master_internal.txt -o /tmp/kra_backup_keys.p12 -w ~/.dogtag/pki-master/kra/pkcs12_password.conf
(9) Create 'pki-clone-ca.cfg':
# cat pki-clone-ca.cfg [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_ldap_port=10389 pki_ds_ldaps_port=10636 pki_ds_password=Secret123 pki_http_port=17080 pki_https_port=17443 pki_instance_name=pki-clone pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=8443 pki_security_domain_password=Secret123 [Tomcat] pki_ajp_port=17009 pki_clone=True pki_clone_pkcs12_password=Secret123 pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12 pki_clone_uri=https://pki.example.com:8443 pki_tomcat_server_port=17005 [CA] pki_ds_base_dn=o=pki-tomcat-CA pki_ds_database=pki-tomcat-CA
(10) Create 'pki-clone' CA:
# script -c "pkispawn -s CA -f /root/pki/pki-clone-ca.cfg -vvv" /root/typescript.pki-clone-ca
(11) Create 'pki-clone-kra.cfg':
# cat /root/pki/pki-clone-kra.cfg [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_ldap_port=10389 pki_ds_ldaps_port=10636 pki_ds_password=Secret123 pki_http_port=17080 pki_https_port=17443 pki_instance_name=pki-clone pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=8443 pki_security_domain_password=Secret123 [Tomcat] pki_ajp_port=17009 pki_clone=True pki_clone_pkcs12_password=Secret123 pki_clone_pkcs12_path=/tmp/kra_backup_keys.p12 pki_clone_uri=https://pki.example.com:8443 pki_tomcat_server_port=17005 [KRA] pki_ds_base_dn=o=pki-tomcat-KRA pki_ds_database=pki-tomcat-KRA
(12) Create 'pki-clone' KRA:
# script -c "pkispawn -s KRA -f /root/pki/pki-clone-kra.cfg -vvv" /root/typescript.pki-clone-kra
RHEL 7.2:
RHCS 9.0.1:
Checked into DOGTAG_10_2_6_BRANCH:
Checked into DOGTAG_10_2_BRANCH:
Resolved in:
Metadata Update from @mharmsen: - Issue set to the milestone: 10.2.x
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2372
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.