dogtagpki

Clone
Source Code
GIT

#2591 FreeIPA installation on Rawhide fails on pkispawn crash
Closed: fixed 7 years ago Opened 7 years ago by mbabinsk@redhat.com.

Closed: fixed
Reopen Issue

When installing FreeIPA w/ CA on rawhide, the installation fails with faimiliar
error:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration
failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install
command failed. See /var/log/ipaserver-install.log for more information

Inspecting installation logs hints at some issue with unicode vs. bytes
handling during CA instance creation using pkispawn:

2017-01-17T07:01:18Z DEBUG Starting external process
2017-01-17T07:01:18Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a
2017-01-17T07:01:19Z DEBUG Process finished, return code=1
2017-01-17T07:01:19Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20170117070118.log
Loading deployment configuration from /tmp/tmpANra4a.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed: stat() argument 1 must be encoded string without null
bytes, not str

an this is indeed confirmed when examining the pik-ca-spawn logs (attached):

2017-01-17 07:01:19 pkispawn    : INFO     ....... executing 'certutil -N -d
/tmp/tmp-oI6sY0 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2017-01-17 07:01:19 pkispawn    : DEBUG    ....... Error Type: TypeError
2017-01-17 07:01:19 pkispawn    : DEBUG    ....... Error Message: stat()
argument 1 must be encoded string without null bytes, not str
2017-01-17 07:01:19 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn",
line 528, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi
guration.py", line 301, in spawn
    if len(deployer.instance.tomcat_instance_subsystems()) < 2:
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 1028, in tomcat_instance_subsystems
    if os.path.exists(path) and os.path.isdir(path):
  File "/usr/lib64/python2.7/genericpath.py", line 26, in exists
    os.stat(path)

This issue currently blocks FreeIPA installation on rawhide. Please resolve
ASAP.

Steps to Reproduce:

Try to install FreeIPA server with self-signed CA provided by Dogtag

Actual results:

Installation fails during CA subsystem spawn.

Expected results:

Installation produces a working FreeIPA server

Additional info:

The installation works in freeipa/freeipa-server:fedora-rawhide Docker image
built on 2017-01-11T13:53:49.455Z and also on freshly built Docker image
launched on Fedora Atomic Host 25.

Adding some debug prints into
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" reveals
that on one occasion, PKI_INSTANCE_PATH constant from
"/usr/lib/python2.7/site-packages/pki/server/deployment/config.py" holds a
value containing non-printable character:

PKI instance path: /var/lib/pki/pki-tomcat
Path: /var/lib/pki/pki-tomcat/ocsp [type <type 'str'>]
PKI instance path: /var/lib/pki/pki-tomcat
Path: /var/lib/pki/pki-tomcat/tks [type <type 'str'>]
PKI instance path: /var/lib/pki/pki-tomcat
Path: /var/lib/pki/pki-tomcat/tps [type <type 'str'>]
PKI instance path: /var/lib/pki^@pki-tomcat <----
Path: /var/lib/pki^@pki-tomcat/ca [type <type 'str'>]

Created attachment of CA instance spawn log in associated bug.

Metadata Update from @mbabinsk@redhat.com:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Please re-try this with the following packages installed on rawhide:

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
7 years ago

[20170404] - email request for re-test sent

20170404] - email request for re-test sent

[20170407] - Received word back from amarecek@redhat.com that this issue is now resolved on Fedora 27 "rawhide".

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.1-2.fc27
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.1 (was: 0.0 NEEDS_TRIAGE)
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2711

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
''
None
None
None
''
IPA
''
pki-core-10.4.1-2.fc27
None
None
None
''
General
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.