Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Install - Setup CA] Error #1232

Open
kkarlo opened this issue May 7, 2024 · 0 comments
Open

[Install - Setup CA] Error #1232

kkarlo opened this issue May 7, 2024 · 0 comments

Comments

@kkarlo
Copy link

kkarlo commented May 7, 2024

I recently tried to install freeipa with ansible this collection, but i have some troubles. My server get's an error:

TASK [freeipa.ansible_freeipa.ipaserver : Install - Setup CA] **************************************************************************************************************************************************
fatal: [freeipa.local]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.10.10.10 closed.\r\n", "module_stdout": "Failed to configure CA instance\r\nSee the installation logs and the following files/directories for more information:\r\n  /var/log/pki/pki-tomcat\r\nTraceback (most recent call last):\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 48, in invoke_module\r\n    run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\r\n    return _run_module_code(code, init_globals, run_name, mod_spec)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\r\n    mod_name, mod_spec, pkg_name, script_name)\r\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\r\n    exec(code, run_globals)\r\n  File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload_ek7epr3z/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_setup_ca.py\", line 417, in <module>\r\n  File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload_ek7epr3z/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_setup_ca.py\", line 379, in main\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/ca.py\", line 355, in install_step_0\r\n    pki_config_override=options.pki_config_override,\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py\", line 501, in configure_instance\r\n    self.start_creation(runtime=runtime)\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 635, in start_creation\r\n    run_step(full_msg, method)\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 621, in run_step\r\n    method()\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py\", line 627, in __spawn_instance\r\n    nolog_list=nolog_list\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py\", line 227, in spawn_instance\r\n    self.handle_setup_error(e)\r\n  File \"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py\", line 606, in handle_setup_error\r\n    ) from None\r\nRuntimeError: CA configuration failed.\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

And logs from ipaserver-install:

INFO: Enabling CA subsystem
INFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
INFO: Starting PKI server
DEBUG: Command: systemctl start [email protected]
INFO: Waiting for PKI server to start
INFO: Waiting for PKI server to start (16s)
INFO: Waiting for PKI server to start (32s)
INFO: Waiting for PKI server to start (48s)
INFO: Waiting for PKI server to start (64s)
INFO: Waiting for PKI server to start (80s)
INFO: Waiting for PKI server to start (96s)
INFO: Waiting for PKI server to start (112s)
Exception: Server did not start after 120s
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 703, in spawn
    timeout=deployer.request_timeout)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 365, in start
    max_wait) from e


2024-05-07T14:17:56Z CRITICAL Failed to configure CA instance
2024-05-07T14:17:56Z CRITICAL See the installation logs and the following files/directories for more information:
2024-05-07T14:17:56Z CRITICAL   /var/log/pki/pki-tomcat
2024-05-07T14:17:56Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 627, in __spawn_instance
    nolog_list=nolog_list
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 606, in handle_setup_error
    ) from None
RuntimeError: CA configuration failed.

2024-05-07T14:17:56Z DEBUG   [error] RuntimeError: CA configuration failed.
2024-05-07T14:17:56Z DEBUG Removing /root/.dogtag/pki-tomcat/ca

Debug log from service (/var/log/pki/pki-tomcat/ca/debug.2024-05-07.log) i got:

2024-05-07 16:15:53 [main] INFO: RequestSubsystem: Request subsystem started
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing cert repository
2024-05-07 16:15:53 [main] INFO: CAEngine: - increment: 20
2024-05-07 16:15:53 [main] INFO: CertificateRepository: Initializing certificate repository
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - base DN: ou=certificateRepository, ou=ca,o=ipaca
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - range DN: ou=certificateRepository, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - max serial: 268435456
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CRL repository
2024-05-07 16:15:53 [main] INFO: CRLRepository: Initializing CRL repository
2024-05-07 16:15:53 [main] INFO: CRLRepository: - base DN: ou=crlIssuingPoints,ou=ca,o=ipaca
2024-05-07 16:15:53 [main] INFO: CRLRepository: - range DN: ou=requests, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: CRLRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: CRLRepository: - max serial: 10000000
2024-05-07 16:15:53 [main] INFO: CRLRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: CRLRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing replica ID repository
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: Initializing replica ID repository
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - base DN: ou=replica,o=ipaca
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - range DN: ou=replica, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - max serial: 100
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: Initializing CA subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading profile subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading stats subsystem
2024-05-07 16:15:53 [main] INFO: CAEngine: Loading CA configuration
2024-05-07 16:15:53 [main] INFO: CAEngine: - default cert version: Version: V2
2024-05-07 16:15:53 [main] INFO: CAEngine: - default cert validity (days): 730
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable past CA time: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable past CA time for CA certs: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - fast signing:
2024-05-07 16:15:53 [main] INFO: CAEngine: - allowExtCASignedAgentCerts: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable nonces: true
2024-05-07 16:15:53 [main] INFO: CAEngine: - max nonces: 100
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA policy
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA service
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA request notifier
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA pending request notifier
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA request queue
2024-05-07 16:15:53 [main] INFO: CAEngine: - increment: 20
2024-05-07 16:15:53 [main] INFO: CAEngine: - scheduler: null
2024-05-07 16:15:53 [main] INFO: RequestRepository: Initializing request repository
2024-05-07 16:15:53 [main] INFO: RequestRepository: - filter: (requeststate=*)
2024-05-07 16:15:53 [main] INFO: RequestRepository: - base DN: ou=ca, ou=requests,o=ipaca
2024-05-07 16:15:53 [main] INFO: RequestRepository: - range DN: ou=requests, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: RequestRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: RequestRepository: - max serial: 10000000
2024-05-07 16:15:53 [main] INFO: RequestRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: RequestRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing profile subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: profile subsystem is disabled
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing stats subsystem
2024-05-07 16:15:53 [main] INFO: ServerXml: Parsing /var/lib/pki/pki-tomcat/conf/server.xml
2024-05-07 16:15:53 [main] INFO: ServerXml: Unsecure port: 8080
2024-05-07 16:15:53 [main] INFO: ServerXml: Secure port: 8443
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting null subsystem
2024-05-07 16:15:53 [main] INFO: LDAPProfileSubsystem: startup
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting stats subsystem
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin passwdUserDBAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin certUserDBAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin challengeAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin sslClientCertAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin AgentCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin CMCAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin CMCUserSignedAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin FlatFileAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SSLclientCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SessionAuthentication
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SharedToken
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin TokenAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdGroupDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdPinDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UserPwdDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance passwdUserDBAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance certUserDBAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance challengeAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance CMCAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance sslClientCertAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance AgentCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance CMCUserSignedAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance SSLclientCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance SessionAuthentication
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance TokenAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance flatFileAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance raCertAuth
2024-05-07 16:15:53 [main] INFO: AAclAuthz: group evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: ipaddress evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user_origreq evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: BasicAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz manager instance BasicAclAuthz added
2024-05-07 16:15:53 [main] INFO: AAclAuthz: group evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: ipaddress evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user_origreq evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: DirAclAuthz: found cn=aclResources,o=ipaca
2024-05-07 16:15:53 [main] INFO: DirAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz initialization done.
2024-05-07 16:15:53 [main] INFO: CMSEngine: Configuring servlet certificate nickname
2024-05-07 16:15:53 [main] INFO: CMSEngine: Configuring excluded LDAP attributes
2024-05-07 16:15:53 [main] INFO: CA engine started

As you can see the server tomcat is started but, i am getting "Exception: Server did not start after 120s". How can I repair this issue, or resolve problem? When i am running install playbook once again almost all tasks are skipped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant