Uploaded image for project: 'Dogtag PKI'
  1. Dogtag PKI
  2. DOGTAG-615

pkispawn fails in interactive mode

XMLWordPrintable

    • Critical
    • rhel-idm-cs
    • rc
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • 42

      Description of problem:

      pkispawn fails on clean installation:

      [root@ca pki]# pkispawn -s CA

      IMPORTANT:

      Interactive installation currently only exists for very basic deployments!

      For example, deployments intent upon using advanced features such as:

      • Cloning,
      • Elliptic Curve Cryptography (ECC),
      • External CA,
      • Hardware Security Module (HSM),
      • Subordinate CA,
      • etc.,

      must provide the necessary override parameters in a separate
      configuration file.

      Run 'man pkispawn' for details.

      Tomcat:
      Instance [pki-tomcat]:
      HTTP port [8080]:
      Secure HTTP port [8443]:
      AJP port [8009]:
      Management port [8005]:

      Administrator:
      Username [caadmin]:
      Password:
      Verify password:
      Import certificate (Yes/No) [N]?
      Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:

      Directory Server:
      Hostname [ca.local]:
      Use a secure LDAPS connection (Yes/No/Quit) [N]? Yes
      Secure LDAPS Port [636]:
      Directory Server CA certificate pem file: /etc/dirsrv/slapd-ca/ca.crt
      Bind DN [cn=Directory Manager]:
      Password:
      Base DN [o=pki-tomcat-CA]:
      Base DN already exists. Overwrite (Yes/No/Quit)? Yes

      Security Domain:
      Name [local Security Domain]:

      Begin installation (Yes/No/Quit)? yes

      Installation log: /var/log/pki/pki-ca-spawn.20211221113549.log
      Installing CA into /var/lib/pki/pki-tomcat.
      Notice: Trust flag u is set automatically if the private key is present.
      Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.
      See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
      ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd@pki-tomcat.service']' returned non-zero exit status 1.
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
      scriptlet.spawn(deployer)
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
      instance.start()
      File "/usr/lib/python3.6/site-packages/pki/server/_init_.py", line 263, in start
      subprocess.check_call(cmd)
      File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
      raise CalledProcessError(retcode, cmd)

      Installation failed: Command failed: systemctl start pki-tomcatd@pki-tomcat.service

      Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20211221113549.log

      [root@ca pki]# cat /var/log/pki/pki-ca-spawn.20211221113549.log
      2021-12-21 11:36:49 ERROR: CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd@pki-tomcat.service']' returned non-zero exit status 1.
      File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
      scriptlet.spawn(deployer)
      File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 956, in spawn
      instance.start()
      File "/usr/lib/python3.6/site-packages/pki/server/_init_.py", line 263, in start
      subprocess.check_call(cmd)
      File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
      raise CalledProcessError(retcode, cmd)

      Version-Release number of selected component (if applicable):
      [root@ca ~]# cat /usr/share/pki/CS_SERVER_VERSION
      Red Hat Certificate System 10.2
      [root@ca ~]# dnf install pki-ca | grep pki-ca
      Package pki-ca-10.10.5-3.module+el8pki+11223+7a85b62e.noarch is already installed.
      [root@ca ~]# cat /etc/pki/pki.version
      Configuration-Version: 10.10.5
      root@ca pki]# cat /etc/redhat-release
      Red Hat Enterprise Linux release 8.5 (Ootpa)
      [root@ca pki]# fips-mode-setup --check
      FIPS mode is enabled.

      How reproducible:
      100%

      Steps to Reproduce:
      1. install DS, create instance, check ldaps connectivity
      2. install redhat-pki module as described in 10.2 release notes, otherwise you get conflicts
      3. Run pkispawn -s CA

      Actual results:
      Service fails:
      – Unit pki-tomcatd@pki-tomcat.service has begun starting up.
      Dec 21 11:36:49 ca.local pki-server[42247]: ProviderException: Initialization failed
      Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=255
      Dec 21 11:36:49 ca.local systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
      – Subject: Unit failed
      – Defined-By: systemd

      Expected results:
      service starts as expected, pkispawn is succesfull

      Additional info:
      sosreport will be attached

              ckelley@redhat.com Chris Kelley
              rhn-support-asharov Aleksandr Sharov
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: