[Pkg-freeipa-devel] I want to know the bug ##897640 [i| | ] [src:freeipa] freeipa-server: ipa-server-install fails when using a CA certificate signed by an external CA (pki-tomcatd) have resolved in freeipa4.7.1 for debian?
Wangxiangdong
wang.xiangdong at h3c.com
Sat Jul 13 18:15:25 BST 2019
we install the freeipa-server4.7.1 on debian 9 still have the bug. My bug info belows. I hope getting your reply. Thanks ahead.
freeipa-server4.7.1 failied to install - Debian9
I am trying to install the freeipa-server(4.7.1) package on Debian9, which is
now failing, the failed message is pkispawn failed. The installation output is as follows, after running apt install
freeipa-server. I want to know the effective way of installation freeipa-server
on debian. Can you provide the way of compile the freeipa project?
1. Debian9 system info.
Linux root 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux
2. Freeipa-server deb info.
freeipa-admintools_4.7.1-3_amd64.deb freeipa-tests_4.7.1-3_all.deb
freeipa-client_4.7.1-3_amd64.deb pki-tools_10.6.8-2_amd64.deb
freeipa-common_4.7.1-3_all.deb python-ipaclient_4.7.1-3_all.deb
freeipa-server_4.7.1-3_amd64.deb python-ipalib_4.7.1-3_all.deb
freeipa-server-dns_4.7.1-3_all.deb python-ipaserver_4.7.1-3_all.deb
freeipa-server-trust-ad_4.7.1-3_amd64.deb python-ipatests_4.7.1-3_all.deb
3. The error log as follows.
ipa-server-install
2019-07-11T11:33:19Z DEBUG Starting external process
2019-07-11T11:33:19Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpYHBX9A']
2019-07-11T11:34:20Z DEBUG Process finished, return code=1
2019-07-11T11:34:20Z DEBUG stdout=Starting pki-tomcatd (via systemctl): pki-tomcatd.service.
Log file: /var/log/pki/pki-ca-spawn.20190711073319.log
Loading deployment configuration from /tmp/tmpYHBX9A.
WARNING: The 'pki_pin' in [CA] has been deprecated. Use 'pki_server_database_password' instead.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/dogtag/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed: server failed to restart
2019-07-11T11:34:20Z DEBUG stderr=pkispawn : ERROR Server did not start after 60s
configuration : ERROR Server failed to restart
2019-07-11T11:34:20Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbi
n/pkispawn', '-s', 'CA', '-f', '/tmp/tmpYHBX9A'] returned non-zero exit status 1: u'pkispawn :
ERROR Server did not start after 60s\nconfiguration : ERROR Server failed to restart\n')
2019-07-11T11:34:20Z CRITICAL See the installation logs and the following files/directories for more
information:
2019-07-11T11:34:20Z CRITICAL /var/log/pki/pki-tomcat
2019-07-11T11:34:20Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 669, in __spawn_inst
ance
pki_pin)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_in
stance
self.handle_setup_error(e)
[2019/7/12 16:01] wangyaliang (13985, Cloud):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/...
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 407, in handle_s
etup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2019-07-11T11:34:20Z DEBUG [error] RuntimeError: CA configuration failed.
2019-07-11T11:34:20Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 17
9, in execute
return_value = self.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 347, in run
return cfgr.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_ex
ception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_
yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_
yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_ex
ception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_
yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_
yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 550, in main
master_install(self)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 253, in decorate
d
func(installer)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 842, in install
ca.install_step_0(False, None, options, custodia=custodia)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/ca.py", line 318, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 484, in configure_in
stance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 605, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 591, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 669, in __spawn_inst
ance
pki_pin)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 166, in spawn_in
stance
self.handle_setup_error(e)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dogtaginstance.py", line 407, in handle_s
etup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2019-07-11T11:34:20Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA config
uration failed.
2019-07-11T11:34:20Z ERROR CA configuration failed.
2019-07-11T11:34:20Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log
for more information
4. Pkispawn error info.
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caCert.profile /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/caOCSPCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/rsaServerCert.profile /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/serverCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... cp -p /usr/share/pki/ca/conf/rsaSubsystemCert.profile /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/subsystemCert.profile
2019-07-08 03:58:07 pkispawn : INFO ....... copying '/usr/share/pki/ca/conf/proxy.conf' --> '/etc/pki/pki-tomcat/ca/proxy.conf' with slot substitution
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/ca/proxy.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/ca/proxy.conf
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /etc/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/conf
2019-07-08 03:58:07 pkispawn : INFO ....... ln -s /var/log/pki/pki-tomcat/ca /var/lib/pki/pki-tomcat/ca/logs
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown -h 111:117 /var/lib/pki/pki-tomcat/ca/logs
2019-07-08 03:58:07 webapp : INFO Creating webapp
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 770 /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /var/lib/pki/pki-tomcat/ca/webapps
2019-07-08 03:58:07 pkispawn : INFO ....... setting ownerships, permissions, and acls on '/var/lib/pki/pki-tomcat/ca/webapps'
2019-07-08 03:58:07 nssdb : INFO Creating NSS database
2019-07-08 03:58:07 pki.server : INFO Loading instance: pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading instance registry: /etc/dogtag/tomcat/pki-tomcat/pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading subsystem: ca
2019-07-08 03:58:07 pki.server : INFO Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2019-07-08 03:58:07 nssdb : INFO Creating password config: /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 nssdb : INFO Creating password file: /etc/pki/pki-tomcat/pfile
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... executing 'certutil -N -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile'
2019-07-08 03:58:07 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting ocsp_signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting sslserver cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting subsystem cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting audit_signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 755 /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca
2019-07-08 03:58:07 nssdb : INFO Creating password file: /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca/password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... generating '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2019-07-08 03:58:07 pkispawn : INFO ....... modifying '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 111:117 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2019-07-08 03:58:07 pkispawn : INFO ....... mkdir -p /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chmod 770 /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : DEBUG ........... chown 0:0 /root/.dogtag/pki-tomcat/ca/alias
2019-07-08 03:58:07 pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
2019-07-08 03:58:07 selinux : INFO SELinux disabled
2019-07-08 03:58:07 keygen : INFO Generating keys
2019-07-08 03:58:07 pki.server : INFO Loading instance: pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading instance registry: /etc/dogtag/tomcat/pki-tomcat/pki-tomcat
2019-07-08 03:58:07 pki.server : INFO Loading password config: /etc/pki/pki-tomcat/password.conf
2019-07-08 03:58:07 pki.server : INFO Loading subsystem: ca
2019-07-08 03:58:07 pki.server : INFO Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from CS.cfg
2019-07-08 03:58:07 pki.server : INFO Getting signing cert info for ca from NSS database
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpQ8ZCeb/password.txt -n caSigningCert cert-pki-ca -a
2019-07-08 03:58:07 keygen : INFO Generating ca_signing CSR in /root/ipa.csr
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: openssl rand -out /tmp/tmpv1RVD7/noise.bin 2048
2019-07-08 03:58:07 pki.nssdb : DEBUG Command: certutil -R -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpv1RVD7/password.txt -s CN=Certificate Authority,O=EXAMPLE.COM -o /tmp/tmpv1RVD7/request.bin -z /tmp/tmpv1RVD7/noise.bin -k rsa -g 2048 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2
2019-07-08 03:58:07 pkispawn : DEBUG ....... Error Type: CalledProcessError
2019-07-08 03:58:07 pkispawn : DEBUG ....... Error Message: Command '['BtoA', '/tmp/tmpv1RVD7/request.bin', '/tmp/tmpv1RVD7/request.b64']' returned non-zero exit status 1
2019-07-08 03:58:07 pkispawn : DEBUG ....... File "/usr/lib/python2.7/dist-packages/pki/server/pkispawn.py", line 546, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 468, in spawn
self.generate_system_cert_requests(deployer, subsystem)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 433, in generate_system_cert_requests
self.generate_ca_signing_csr(deployer, subsystem)
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 176, in generate_ca_signing_csr
generic_exts=generic_exts
File "/usr/lib/python2.7/dist-packages/pki/server/deployment/scriptlets/keygen.py", line 113, in generate_csr
generic_exts=generic_exts)
File "/usr/lib/python2.7/dist-packages/pki/nssdb.py", line 613, in create_request
'BtoA', binary_request_file, b64_request_file])
File "/usr/lib/python2.7/subprocess.py", line 190, in check_call
raise CalledProcessError(retcode, cmd)
Thanks.
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有新华三集团的保密信息,仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、
或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本
邮件!
This e-mail and its attachments contain confidential information from New H3C, which is
intended only for the person or entity whose address is listed above. Any use of the
information contained herein in any way (including, but not limited to, total or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender
by phone or email immediately and delete it!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190713/64281679/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list