[Freeipa-devel] [PATCH] 391-395 Fedora 19 build and install fixes

Tomas Babej tbabej at redhat.com
Wed Mar 27 09:42:19 UTC 2013 

On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote:
> On 03/26/2013 06:32 PM, Tomas Babej wrote:
>> On 03/26/2013 05:38 PM, Martin Kosek wrote:
>>> On 03/21/2013 11:59 AM, Martin Kosek wrote:
>>>> This set of patches (details in commit messages) allow build and
>>>> installation
>>>> of FreeIPA in Fedora 19. I tested server and replica install
>>>> (master on f18,
>>>> replica on f19) and both worked fine.
>>>>
>>>> The patches are compatible with Fedora 18 (I tested).
>>>>
>>>> If your Fedora 19 does not have bind-9.9.2-11.P1.fc19, you may need
>>>> to get that
>>>> from koji:
>>>>
>>>> Bug 920713 - named timeouts when started via systemd
>>>>
>>>> Also, to fix trusts and ipa-adtrust-install, I had to use my custom
>>>> build of
>>>> 389-ds-base as current builds do not accepts Kerberos tickets
>>>> greater than 2048
>>>> bytes. This is the bug I filed:
>>>>
>>>> Bug 923879 - 389-ds-base cannot handle Kerberos tickets with PAC
>>>>
>>>> Martin
>>>>
>>> Sending rebased patches (there was a conflic in spec changelog).
>>>
>>> Martin
>>>
>> This still needs the following rebase (changelog is not in
>> chronological order):
>>
>> -* Wed Mar 13 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>> +* Tue Mar 26 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>
> Right, I will fix that.
>
>>
>> The build on F19 went OK, however, IPA installation on F19 fails with
>> the
>> following error:
>>
>> [snip]
>> Configuring certificate server (pki-tomcatd): Estimated time 3
>> minutes 30 seconds
>>    [1/20]: creating certificate server user
>>    [2/20]: configuring certificate server instance
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IOError: [Errno 2] No such file or directory:
>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>
> What pki-ca version do you use? There were some related fixes for bugs
> I found in pki-ca component (see Bug 919476). I used
> pki-ca-10.0.1-2.1.fc19.noarch
>

The version is the same.

> If you have this version or higher, what is the root cause of the
> failure? Is there any useful info in ipaserver-install.log?
>

I haven't been able to identify the cause. There seems to be an issue 
with certmonger as well,
since consenquent uninstallation fails with:

$ sudo ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unexpected error - see /var/log/ipaserver-uninstall.log for details:
CalledProcessError: Command '/bin/systemctl start certmonger.service' 
returned non-zero exit status 1

Looking at systemctl status certmonger.service, it looks like D-Bus 
connection problem:

$ sudo service certmonger status
Redirecting to /bin/systemctl status  certmonger.service
certmonger.service - Certificate monitoring and PKI enrollment
	  Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled)
	  Active: failed (Result: exit-code) since Wed 2013-03-27 10:06:08 
CET; 2s ago
	 Process: 5870 ExecStart=/usr/sbin/certmonger -S -p 
/var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE)

Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com systemd[1]: Starting 
Certificate monitoring and PKI enrollment...
Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com certmonger[5870]: 
2013-03-27 10:06:08 [5870] Error connecting to system bus.
Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com certmonger[5870]: 
Error connecting to D-Bus.
Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com systemd[1]: 
certmonger.service: main process exited, code=exited, status=1/FAILURE
Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com systemd[1]: Failed to 
start Certificate monitoring and PKI enrollment.
Mar 27 10:06:08 vm-093.idm.lab.eng.brq.redhat.com systemd[1]: Unit 
certmonger.service entered failed state

Relevant part of the log (we already went through it with Martin, but 
maybe somebody has some additional insight).

2013-03-26T17:03:06Z DEBUG Starting external process
2013-03-26T17:03:06Z DEBUG args=/usr/sbin/pkispawn -s CA -f 
/tmp/tmp4CgKef
2013-03-26T17:03:19Z DEBUG Process finished, return code=0
2013-03-26T17:03:19Z DEBUG stdout=
2013-03-26T17:03:19Z DEBUG stderr=Job for 
pki-tomcatd at pki-tomcat.service failed. See 'systemctl status 
pki-tomcatd at pki-tomcat.service' and 'journalctl -xn' for details.
*sys-package-mgr*: processing new jar, '/usr/share/java/jython.jar'
*sys-package-mgr*: processing new jar, '/usr/share/java/jakarta-oro.jar'
[snip]
*sys-package-mgr*: processing new jar, 
'/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/ext/pulse-java.jar'
Mar 26, 2013 6:03:19 PM 
org.apache.http.impl.client.DefaultRequestDirector tryConnect
INFO: I/O exception (org.mozilla.jss.ssl.SSLSocketException) caught 
when connecting to the target host: Unable to connect: (-5961) TCP 
connection reset by peer.
Mar 26, 2013 6:03:19 PM 
org.apache.http.impl.client.DefaultRequestDirector tryConnect
INFO: Retrying connect
INFO: I/O exception (org.mozilla.jss.ssl.SSLSocketException) caught 
when connecting to the target host: Unable to connect: (-5961) TCP 
connection reset by peer.
Mar 26, 2013 6:03:19 PM 
org.apache.http.impl.client.DefaultRequestDirector tryConnect
INFO: Retrying connect
Mar 26, 2013 6:03:19 PM 
org.apache.http.impl.client.DefaultRequestDirector tryConnect
INFO: I/O exception (org.mozilla.jss.ssl.SSLSocketException) caught 
when connecting to the target host: Unable to connect: (-5961) TCP 
connection reset by peer.
Mar 26, 2013 6:03:19 PM 
org.apache.http.impl.client.DefaultRequestDirector tryConnect
INFO: Retrying connect
Traceback (innermost last):
  File 
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.jy", 
line 110, in ?
  File 
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.jy", 
line 107, in main
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkijython.py", 
line 531, in configure_pki_data
        at 
org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:114)
        at 
org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88)
        at sun.proxy.$Proxy20.configure(Unknown Source)
        at 
com.netscape.certsrv.system.SystemConfigClient.configure(SystemConfigClient.java:50)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:601)

java.lang.RuntimeException: java.lang.RuntimeException: 
org.mozilla.jss.ssl.SSLSocketException: Unable to connect: (-5961) TCP 
connection reset by peer.

2013-03-26T17:03:19Z INFO   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 612, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 999, in main
    dm_password, subject_base=options.subject)

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line 618, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 359, in start_creation
    method()

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line 747, in __spawn_instance
    "/root/ca-agent.p12")

  File "/usr/lib64/python2.7/shutil.py", line 299, in move
    copy2(src, real_dst)

  File "/usr/lib64/python2.7/shutil.py", line 128, in copy2
    copyfile(src, dst)

  File "/usr/lib64/python2.7/shutil.py", line 82, in copyfile
    with open(src, 'rb') as fsrc:

2013-03-26T17:03:19Z INFO The ipa-server-install command failed, 
exception: IOError: [Errno 2] No such file or directory: 
'/root/.pki/pki-tomcat/ca_admin_cert.p12'

> Thanks,
> Martin
>
>>
>>
>> Patches work fine on F18.
>>
>> Tomas
>

More information about the Freeipa-devel mailing list