When installing FreeIPA w/ CA on rawhide, the installation fails with faimiliar error:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/31]: creating certificate server user [2/31]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Inspecting installation logs hints at some issue with unicode vs. bytes handling during CA instance creation using pkispawn:
2017-01-17T07:01:18Z DEBUG Starting external process 2017-01-17T07:01:18Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpANra4a 2017-01-17T07:01:19Z DEBUG Process finished, return code=1 2017-01-17T07:01:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20170117070118.log Loading deployment configuration from /tmp/tmpANra4a. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: stat() argument 1 must be encoded string without null bytes, not str
an this is indeed confirmed when examining the pik-ca-spawn logs (attached):
2017-01-17 07:01:19 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-oI6sY0 -f /root/.dogtag/pki-tomcat/ca/password.conf' 2017-01-17 07:01:19 pkispawn : DEBUG ....... Error Type: TypeError 2017-01-17 07:01:19 pkispawn : DEBUG ....... Error Message: stat() argument 1 must be encoded string without null bytes, not str 2017-01-17 07:01:19 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi guration.py", line 301, in spawn if len(deployer.instance.tomcat_instance_subsystems()) < 2: File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 1028, in tomcat_instance_subsystems if os.path.exists(path) and os.path.isdir(path): File "/usr/lib64/python2.7/genericpath.py", line 26, in exists os.stat(path)
This issue currently blocks FreeIPA installation on rawhide. Please resolve ASAP.
Steps to Reproduce:
Try to install FreeIPA server with self-signed CA provided by Dogtag
Actual results:
Installation fails during CA subsystem spawn.
Expected results:
Installation produces a working FreeIPA server
Additional info:
The installation works in freeipa/freeipa-server:fedora-rawhide Docker image built on 2017-01-11T13:53:49.455Z and also on freshly built Docker image launched on Fedora Atomic Host 25. Adding some debug prints into "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" reveals that on one occasion, PKI_INSTANCE_PATH constant from "/usr/lib/python2.7/site-packages/pki/server/deployment/config.py" holds a value containing non-printable character: PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/ocsp [type <type 'str'>] PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/tks [type <type 'str'>] PKI instance path: /var/lib/pki/pki-tomcat Path: /var/lib/pki/pki-tomcat/tps [type <type 'str'>] PKI instance path: /var/lib/pki^@pki-tomcat <---- Path: /var/lib/pki^@pki-tomcat/ca [type <type 'str'>] Created attachment of CA instance spawn log in associated bug.
Metadata Update from @mbabinsk@redhat.com: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Please re-try this with the following packages installed on rawhide:
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None
[20170404] - email request for re-test sent
20170404] - email request for re-test sent
[20170407] - Received word back from amarecek@redhat.com that this issue is now resolved on Fedora 27 "rawhide".
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.1-2.fc27 - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.1 (was: 0.0 NEEDS_TRIAGE)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2711
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.