Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1812169
Summary: | Running ipa-replica-install fails with Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa-master.example.test/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).) | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> | |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | abokovoy, fdc, frenaud, ipa-maint, jcholast, jhrozek, jpazdziora, lslebodn, pvoborni, rcritten, ssorce, twoerner | |
Target Milestone: | --- | Keywords: | Regression | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | freeipa-4.8.6-1.fc32 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1817918 (view as bug list) | Environment: | ||
Last Closed: | 2020-04-05 00:15:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1817918 |
Description
Jan Pazdziora
2020-03-10 17:01:06 UTC
I see the same failure on Fedora 32. What tomcat version do you have? In rawhide it is a known issue with tomcat 9.0.31 which enforces use of a secret-protected setup for AJP proxy. I'm currently working on a fix for upstream. It's tomcat-9.0.31-1.fc33.noarch. Upstream PR: https://github.com/freeipa/freeipa/pull/4337 Fixed upstream master: https://pagure.io/freeipa/c/593fac1ca9381a51ee59fac994d818ed9619bd8e https://pagure.io/freeipa/c/ec73de969f55b7a005b6401029f87fe6a225a417 Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/1deb1010b245df6c363c5655f9a548bdf4dbc040 https://pagure.io/freeipa/c/d4d8b98c3588b212db6a26610e690cccb3af84ca ipa-4-7: https://pagure.io/freeipa/c/d4ad2c24df2477a5b4ced14a592d99547a0c029e https://pagure.io/freeipa/c/fc82b966c054b8a6a98441f08d9ccf2f5737e623 ipa-4-6: https://pagure.io/freeipa/c/af2dca13d0cc24e0cf32bc23e4edb86fbbf60d03 https://pagure.io/freeipa/c/901d0eca7d462c74c1664aae9b3415ede7ba3dfc (In reply to Florence Blanc-Renaud from comment #6) > Fixed upstream > ipa-4-8: > https://pagure.io/freeipa/c/1deb1010b245df6c363c5655f9a548bdf4dbc040 > https://pagure.io/freeipa/c/d4d8b98c3588b212db6a26610e690cccb3af84ca > Backporting these patches does not seems to be enough for rawhide. The installation on master will fails Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. For some reason jdk crashed 2020-03-16T12:18:37Z DEBUG Starting external process 2020-03-16T12:18:37Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] 2020-03-16T12:18:43Z DEBUG Process finished, return code=1 2020-03-16T12:18:43Z DEBUG stdout=# # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007fba2b65afbe, pid=24003, tid=0x00007fba2904a700 # # JRE version: OpenJDK Runtime Environment (8.0_242-b08) (build 1.8.0_242-b08) # Java VM: OpenJDK 64-Bit Server VM (25.242-b08 mixed mode linux-amd64 compressed oops) # Problematic frame: # V [libjvm.so+0x701fbe] JNIHandleBlock::oops_do(OopClosure*)+0xae # # Core dump written. Default location: /tmp/hsperfdata_pkiuser/core or core.24003 # # An error report file with more information is saved as: # /tmp/hsperfdata_pkiuser/hs_err_pid24003.log # # If you would like to submit a bug report, please visit: # http://bugreport.java.com/bugreport/crash.jsp # Installation log: /var/log/pki/pki-ca-spawn.20200316131837.log Loading deployment configuration from /tmp/tmpchj5vgwk. WARNING: The 'pki_ssl_server_token' in [CA] has been deprecated. Use 'pki_sslserver_token' instead. Installing CA into /var/lib/pki/pki-tomcat. Installation failed: Command failed: sudo -u pkiuser /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/ share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.b ase=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logg ing.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.dogtagpki.server.cli.PKIServerCLI ca-db-remove --force Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20200316131837.log 2020-03-16T12:18:43Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present. ERROR: CalledProcessError: Command '['sudo', '-u', 'pkiuser', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-db-remove', '--force']' died with <Signals.SIGABRT: 6>. File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn subsystem.remove_database(force=True) File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database self.run(cmd, as_current_user=as_current_user) File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run subprocess.run(cmd, check=True) File "/usr/lib64/python3.8/subprocess.py", line 512, in run raise CalledProcessError(retcode, process.args, 2020-03-16T12:18:43Z CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') 2020-03-16T12:18:43Z CRITICAL See the installation logs and the following files/directories for more information: 2020-03-16T12:18:43Z CRITICAL /var/log/pki/pki-tomcat 2020-03-16T12:18:43Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 193, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.8/site-packages/ipapython/ipautil.py", line 597, in run raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpchj5vgwk'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: CalledProcessError: Command \'[\'sudo\', \'-u\', \'pkiuser\', \'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java\', \'-classpath\', \'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*\', \'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory\', \'-Dcatalina.base=/var/lib/pki/pki-tomcat\', \'-Dcatalina.home=/usr/share/tomcat\', \'-Djava.endorsed.dirs=\', \'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp\', \'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties\', \'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\', \'org.dogtagpki.server.cli.PKIServerCLI\', \'ca-db-remove\', \'--force\']\' died with <Signals.SIGABRT: 6>.\n File "/usr/lib/python3.8/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.8/site-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn\n subsystem.remove_database(force=True)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 932, in remove_database\n self.run(cmd, as_current_user=as_current_user)\n File "/usr/lib/python3.8/site-packages/pki/server/subsystem.py", line 980, in run\n subprocess.run(cmd, check=True)\n File "/usr/lib64/python3.8/subprocess.py", line 512, in run\n raise CalledProcessError(retcode, process.args,\n\n') During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 603, in start_creation run_step(full_msg, method) File "/usr/lib/python3.8/site-packages/ipaserver/install/service.py", line 589, in run_step method() File "/usr/lib/python3.8/site-packages/ipaserver/install/cainstance.py", line 596, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 195, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 503, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. Hi Lukas, the issue you mention is a different one, already reported in https://pagure.io/dogtagpki/issue/3130 ipa-server-install fails in pkispawn step with a java coredump. The above ticket mentions https://bugzilla.redhat.com/show_bug.cgi?id=1813550 java segmentation faults during package builds in rawhide which is a java-1.8.0-openjdk problem. Is it OK for you to move back this BZ to POST? Last time when I tried, I was able to install at least master without patch (just replica failed) But I failed to install even maser with patch. I did not dive into details but it seems suspicious for me. If you are sure it is unrelated then feel free to move to POST otherwise I would prefer at lest something functional in rawhide. Is it expected that the Java segfault issue seems non-deterministic? (In reply to Lukas Slebodnik from comment #10) > Last time when I tried, I was able to install at least master without patch > (just replica failed) > But I failed to install even maser with patch. I did not dive into details > but > it seems suspicious for me. > > If you are sure it is unrelated then feel free to move to POST > otherwise I would prefer at lest something functional in rawhide. I cannot reproduce issue with new jdk and new freeipa. The bug can be closed. Thanks Lukas for checking. Moving back to POST. (In reply to Florence Blanc-Renaud from comment #13) > Thanks Lukas for checking. Moving back to POST. Is there any reason why the state cannot be to closed -> rawhide? It is fixed also in F32, so we can attach it to F32 update: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc FEDORA-2020-e3a79248dc has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc I confirm that I no longer see the problem with freeipa-server-4.8.5-2.fc32.x86_64 and freeipa-server-4.8.5-2.fc33.x86_64. So the fix was likely somewhere else than freeipa-4.8.6-1.fc32, so attaching to https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc does not seem corect. You don't see the issue because JDK crash is fixed. FreeIPA 4.8.5 fixed the AJP issue, 4.8.6 contains a fix that was needed for an edge case of restarting httpd as part of dogtag configuration before it was configured. So both are applicable here. FEDORA-2020-e3a79248dc has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e3a79248dc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e3a79248dc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-e3a79248dc has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |