[Install - Setup CA] Error
kkarlo opened this issue · comments
I recently tried to install freeipa with ansible this collection, but i have some troubles. My server get's an error:
TASK [freeipa.ansible_freeipa.ipaserver : Install - Setup CA] **************************************************************************************************************************************************
fatal: [freeipa.local]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.10.10.10 closed.\r\n", "module_stdout": "Failed to configure CA instance\r\nSee the installation logs and the following files/directories for more information:\r\n /var/log/pki/pki-tomcat\r\nTraceback (most recent call last):\r\n File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 107, in <module>\r\n _ansiballz_main()\r\n File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 99, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/ansible/.ansible/tmp/ansible-tmp-1715091297.839199-16334-267785926845212/AnsiballZ_ipaserver_setup_ca.py\", line 48, in invoke_module\r\n run_name='__main__', alter_sys=True)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload_ek7epr3z/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_setup_ca.py\", line 417, in <module>\r\n File \"/tmp/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload_ek7epr3z/ansible_freeipa.ansible_freeipa.ipaserver_setup_ca_payload.zip/ansible_collections/freeipa/ansible_freeipa/plugins/modules/ipaserver_setup_ca.py\", line 379, in main\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/ca.py\", line 355, in install_step_0\r\n pki_config_override=options.pki_config_override,\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py\", line 501, in configure_instance\r\n self.start_creation(runtime=runtime)\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 635, in start_creation\r\n run_step(full_msg, method)\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/service.py\", line 621, in run_step\r\n method()\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py\", line 627, in __spawn_instance\r\n nolog_list=nolog_list\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py\", line 227, in spawn_instance\r\n self.handle_setup_error(e)\r\n File \"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py\", line 606, in handle_setup_error\r\n ) from None\r\nRuntimeError: CA configuration failed.\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
And logs from ipaserver-install:
INFO: Enabling CA subsystem
INFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
INFO: Starting PKI server
DEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service
INFO: Waiting for PKI server to start
INFO: Waiting for PKI server to start (16s)
INFO: Waiting for PKI server to start (32s)
INFO: Waiting for PKI server to start (48s)
INFO: Waiting for PKI server to start (64s)
INFO: Waiting for PKI server to start (80s)
INFO: Waiting for PKI server to start (96s)
INFO: Waiting for PKI server to start (112s)
Exception: Server did not start after 120s
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 703, in spawn
timeout=deployer.request_timeout)
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 365, in start
max_wait) from e
2024-05-07T14:17:56Z CRITICAL Failed to configure CA instance
2024-05-07T14:17:56Z CRITICAL See the installation logs and the following files/directories for more information:
2024-05-07T14:17:56Z CRITICAL /var/log/pki/pki-tomcat
2024-05-07T14:17:56Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 627, in __spawn_instance
nolog_list=nolog_list
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 606, in handle_setup_error
) from None
RuntimeError: CA configuration failed.
2024-05-07T14:17:56Z DEBUG [error] RuntimeError: CA configuration failed.
2024-05-07T14:17:56Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
Debug log from service (/var/log/pki/pki-tomcat/ca/debug.2024-05-07.log) i got:
2024-05-07 16:15:53 [main] INFO: RequestSubsystem: Request subsystem started
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing cert repository
2024-05-07 16:15:53 [main] INFO: CAEngine: - increment: 20
2024-05-07 16:15:53 [main] INFO: CertificateRepository: Initializing certificate repository
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - base DN: ou=certificateRepository, ou=ca,o=ipaca
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - range DN: ou=certificateRepository, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - max serial: 268435456
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: CertificateRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CRL repository
2024-05-07 16:15:53 [main] INFO: CRLRepository: Initializing CRL repository
2024-05-07 16:15:53 [main] INFO: CRLRepository: - base DN: ou=crlIssuingPoints,ou=ca,o=ipaca
2024-05-07 16:15:53 [main] INFO: CRLRepository: - range DN: ou=requests, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: CRLRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: CRLRepository: - max serial: 10000000
2024-05-07 16:15:53 [main] INFO: CRLRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: CRLRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing replica ID repository
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: Initializing replica ID repository
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - base DN: ou=replica,o=ipaca
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - range DN: ou=replica, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - max serial: 100
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: ReplicaIDRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: Initializing CA subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading profile subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Loading stats subsystem
2024-05-07 16:15:53 [main] INFO: CAEngine: Loading CA configuration
2024-05-07 16:15:53 [main] INFO: CAEngine: - default cert version: Version: V2
2024-05-07 16:15:53 [main] INFO: CAEngine: - default cert validity (days): 730
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable past CA time: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable past CA time for CA certs: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - fast signing:
2024-05-07 16:15:53 [main] INFO: CAEngine: - allowExtCASignedAgentCerts: false
2024-05-07 16:15:53 [main] INFO: CAEngine: - enable nonces: true
2024-05-07 16:15:53 [main] INFO: CAEngine: - max nonces: 100
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA policy
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA service
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA request notifier
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA pending request notifier
2024-05-07 16:15:53 [main] INFO: CAEngine: Initializing CA request queue
2024-05-07 16:15:53 [main] INFO: CAEngine: - increment: 20
2024-05-07 16:15:53 [main] INFO: CAEngine: - scheduler: null
2024-05-07 16:15:53 [main] INFO: RequestRepository: Initializing request repository
2024-05-07 16:15:53 [main] INFO: RequestRepository: - filter: (requeststate=*)
2024-05-07 16:15:53 [main] INFO: RequestRepository: - base DN: ou=ca, ou=requests,o=ipaca
2024-05-07 16:15:53 [main] INFO: RequestRepository: - range DN: ou=requests, ou=ranges,o=ipaca
2024-05-07 16:15:53 [main] INFO: RequestRepository: - min serial: 1
2024-05-07 16:15:53 [main] INFO: RequestRepository: - max serial: 10000000
2024-05-07 16:15:53 [main] INFO: RequestRepository: - next min serial: null
2024-05-07 16:15:53 [main] INFO: RequestRepository: - next max serial: null
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing profile subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: profile subsystem is disabled
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Initializing stats subsystem
2024-05-07 16:15:53 [main] INFO: ServerXml: Parsing /var/lib/pki/pki-tomcat/conf/server.xml
2024-05-07 16:15:53 [main] INFO: ServerXml: Unsecure port: 8080
2024-05-07 16:15:53 [main] INFO: ServerXml: Secure port: 8443
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting ca subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting null subsystem
2024-05-07 16:15:53 [main] INFO: LDAPProfileSubsystem: startup
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting selftests subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting CrossCertPair subsystem
2024-05-07 16:15:53 [main] INFO: CMSEngine: Starting stats subsystem
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin passwdUserDBAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin certUserDBAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin challengeAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin sslClientCertAuthPlugin
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin AgentCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin CMCAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin CMCUserSignedAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin FlatFileAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SSLclientCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SessionAuthentication
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin SharedToken
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin TokenAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdGroupDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UidPwdPinDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager plugin UserPwdDirAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance passwdUserDBAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance certUserDBAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance challengeAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance CMCAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance sslClientCertAuthMgr
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance AgentCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance CMCUserSignedAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance SSLclientCertAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance SessionAuthentication
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance TokenAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance flatFileAuth
2024-05-07 16:15:53 [main] INFO: AuthSubsystem: Loading auth manager instance raCertAuth
2024-05-07 16:15:53 [main] INFO: AAclAuthz: group evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: ipaddress evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user_origreq evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: BasicAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz manager instance BasicAclAuthz added
2024-05-07 16:15:53 [main] INFO: AAclAuthz: group evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: ipaddress evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: user_origreq evaluator registered
2024-05-07 16:15:53 [main] INFO: AAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: DirAclAuthz: found cn=aclResources,o=ipaca
2024-05-07 16:15:53 [main] INFO: DirAclAuthz: initialization done
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz manager instance DirAclAuthz added
2024-05-07 16:15:53 [main] INFO: AuthzSubsystem: authz initialization done.
2024-05-07 16:15:53 [main] INFO: CMSEngine: Configuring servlet certificate nickname
2024-05-07 16:15:53 [main] INFO: CMSEngine: Configuring excluded LDAP attributes
2024-05-07 16:15:53 [main] INFO: CA engine started
As you can see the server tomcat is started but, i am getting "Exception: Server did not start after 120s". How can I repair this issue, or resolve problem? When i am running install playbook once again almost all tasks are skipped.