 |
I have not try the playbooks below, as I use directory architecture I can introduce some yaml syntax error but the general idea of playbook was rewritten, see below. Too I try to switch to permissive mode but I have the same issue ``` --- - name: 'Install python3' hosts: 'ipaserver' become: true gather_facts: false tasks: - name: 'Check if Python 3 is installed' raw: 'python3 --version' register: is_python_installed ignore_errors: true changed_when: is_python_installed.rc != 0 - name: 'Get OS ID like' raw: 'source /etc/os-release && echo "${ID_LIKE}"' register: id_like when: is_python_installed.rc != 0 - name: 'Install python3 on rhel like os' raw: 'yum install -y python3' when: is_python_installed.rc != 0 and 'rhel' in id_like.stdout - name: 'Install python3 on debian like os' raw: 'apt update && apt install -y python3' when: is_python_installed.rc != 0 and 'debian' in id_like.stdout - names: 'freeipa_initialization' hosts: 'ipaserver' become: true roles: tasks: - name: install firewalld dnf: name: firewalld state: latest - name: 'Remove ipa domain into host line with multiple domain name into /etc/hosts' lineinfile: path: '/etc/hosts' regexp: '^(127\.0\.0\.1.+){{ inventory_hostname }}(\s*.+)$' line: '\1\2' backrefs: true - name: 'Remove line where line describe single association of 127.0.0.1 and ipa domain into /etc/hosts' lineinfile: path: '/etc/hosts' regexp: '^127\.0\.0\.1.+{{ inventory_hostname }}\s*$' state: 'absent' - name: 'Add association between external ip and ipa domain into etc/hosts' lineinfile: path: '/etc/hosts' line: '{{ ipaserver_ip_addresses|first }} {{ inventory_hostname }}' insertbefore: BOF - name: Check hostname is valid command: hostname -i register: hostname_ip failed_when: hostname_ip.stdout != ipaserver_ip_addresses|first - name: 'Allow traffic in default zone for freeipa services' ansible.posix.firewalld: service: '{{ item }}' permanent: true state: 'enabled' with_items: - 'freeipa-ldap' - 'freeipa-ldaps' - 'ntp' - 'dns' - 'freeipa-4' - name: 'Playbook to configure IPA servers' hosts: 'ipaserver' become: true collections: - 'freeipa.ansible_freeipa' #vars_files: # - 'group_vars/ipaserver' # - 'group_vars/ipaserver_vault' vars: ipaserver_domain: 'infra.foo.com' ipaserver_realm: 'INFRA.FOO.COM' ipaserver_setup_dns: true ipaserver_auto_forwarders: true ipaserver_idstart: 2000 ipaserver_install_packages: true ipaserver_ip_addresses: - '{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}' ipaadmin_password: ADMPassword1 ipadm_password: DMPassword1 roles: - role: 'ipaserver' state: 'present' ``` |
|
|
The issue can be reproduce more easily by calling ipa-server-install command. See below maybe it is the same red hat bug: https://pagure.io/freeipa/issue/8907 ``` # ipa-server-install --ds-password='changeme' --admin-password='changeme' --setup-dns --idstart=2000 --domain=infra.foo.com --realm=INFRA.FOO.COM --hostname=identity.foo.com --dirsrv-pin='changeme' --http-pin='changeme' --pkinit-pin='changeme' --mkhomedir --ntp-server=XX.YY.ZZ.II --auto-forwarders ... INFO: Starting server\nDEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service\nINFO: FIPS mode: False\nINFO: Waiting for CA subsystem to start (1s)\nINFO: Waiting for CA subsystem to start (2s)\nINFO: Waiting for CA subsystem to start (3s)\nINFO: Waiting for CA subsystem to start (5s)\nINFO: Waiting for CA subsystem to start (6s)\nINFO: Waiting for CA subsystem to start (7s)\nINFO: Waiting for CA subsystem to start (8s)\nINFO: Waiting for CA subsystem to start (9s)\nINFO: Waiting for CA subsystem to start (10s)\nINFO: Waiting for CA subsystem to start (11s)\nINFO: Waiting for CA subsystem to start (12s)\nINFO: Waiting for CA subsystem to start (13s)\nINFO: Waiting for CA subsystem to start (14s)\nINFO: Waiting for CA subsystem to start (15s)\nINFO: Waiting for CA subsystem to start (16s)\nINFO: Waiting for CA subsystem to start (17s)\nINFO: Waiting for CA subsystem to start (19s)\nINFO: Waiting for CA subsystem to start (20s)\nINFO: Waiting for CA subsystem to start (21s)\nINFO: Waiting for CA subsystem to start (22s)\nINFO: Waiting for CA subsystem to start (23s)\nINFO: Waiting for CA subsystem to start (24s)\nINFO: Waiting for CA subsystem to start (25s)\nINFO: Waiting for CA subsystem to start (26s)\nINFO: Waiting for CA subsystem to start (27s)\nINFO: Waiting for CA subsystem to start (28s)\nINFO: Waiting for CA subsystem to start (29s)\nINFO: Waiting for CA subsystem to start (30s)\nINFO: Waiting for CA subsystem to start (31s)\nINFO: Waiting for CA subsystem to start (32s)\nINFO: Waiting for CA subsystem to start (33s)\nINFO: Waiting for CA subsystem to start (34s)\nINFO: Waiting for CA subsystem to start (35s)\nINFO: Waiting for CA subsystem to start (36s)\nINFO: Waiting for CA subsystem to start (38s)\nINFO: Waiting for CA subsystem to start (39s)\nINFO: Waiting for CA subsystem to start (40s)\nINFO: Waiting for CA subsystem to start (41s)\nINFO: Waiting for CA subsystem to start (42s)\nINFO: Waiting for CA subsystem to start (43s)\nINFO: Waiting for CA subsystem to start (44s)\nINFO: Waiting for CA subsystem to start (45s)\nINFO: Waiting for CA subsystem to start (46s)\nINFO: Waiting for CA subsystem to start (47s)\nINFO: Waiting for CA subsystem to start (48s)\nINFO: Waiting for CA subsystem to start (49s)\nINFO: Waiting for CA subsystem to start (50s)\nINFO: Waiting for CA subsystem to start (51s)\nINFO: Waiting for CA subsystem to start (52s)\nINFO: Waiting for CA subsystem to start (53s)\nINFO: Waiting for CA subsystem to start (54s)\nINFO: Waiting for CA subsystem to start (55s)\nINFO: Waiting for CA subsystem to start (56s)\nINFO: Waiting for CA subsystem to start (57s)\nINFO: Waiting for CA subsystem to start (58s)\nINFO: Waiting for CA subsystem to start (59s)\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 965, in spawn\n request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n (subsystem.type, startup_timeout)) from exc\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` |
 |
Hello. The pagure link in #2 refers to when CentOS did their build against a newer NSS (stream) instead of the current NSS (in 8.4). We did not have this issue and thus did not need to rebuild. Please install the rpaste package and provide the output of rpaste --sysinfo. Optionally, you can provide us this information manually: CPU RAM Disk + Partition and volume layout cat /etc/os-release |
|
|
Thanks Louis Abel for your help. Here the requested information: https://rpa.st/DV5A |
|
|
Some extra contextual information that could help (or not): While the pki-tomcatd service is running we can see somme errors ``` # LANG=C journalctl -xe -u pki-tomcatd@pki-tomcat -- Logs begin at Thu 2021-08-12 23:50:54 CEST, end at Fri 2021-08-13 09:16:20 CEST. -- Aug 13 00:42:59 identity.foo.com systemd[1]: Starting PKI Tomcat Server pki-tomcat... -- Subject: Unit pki-tomcatd@pki-tomcat.service has begun start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit pki-tomcatd@pki-tomcat.service has begun starting up. Aug 13 00:43:02 identity.foo.com java[69998]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Aug 13 00:43:04 identity.foo.com systemd[1]: Started PKI Tomcat Server pki-tomcat. -- Subject: Unit pki-tomcatd@pki-tomcat.service has finished start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit pki-tomcatd@pki-tomcat.service has finished starting up. -- -- The start-up result is done. Aug 13 00:43:04 identity.foo.com server[70104]: Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java Aug 13 00:43:04 identity.foo.com server[70104]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.j> Aug 13 00:43:04 identity.foo.com server[70104]: main class used: org.apache.catalina.startup.Bootstrap Aug 13 00:43:04 identity.foo.com server[70104]: flags used: -Dcom.redhat.fips=false Aug 13 00:43:04 identity.foo.com server[70104]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-> Aug 13 00:43:04 identity.foo.com server[70104]: arguments used: start Aug 13 00:43:05 identity.foo.com java[70104]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Aug 13 00:43:06 identity.foo.com server[70104]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] # systemctl status pki-tomcatd@pki-tomcat.service ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-08-13 00:43:04 CEST; 8h ago Process: 70013 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS) Process: 69980 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat (code=exited, status=0/SUCCESS) Process: 69977 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=0/SUCCESS) Main PID: 70104 (java) Tasks: 115 (limit: 23448) Memory: 465.5M CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─70104 /usr/lib/jvm/java-1.8.0-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/shar> ``` Indeed /run/lock/opencryptoki/LCK..APIlock is not present ``` # ls /run/lock/opencryptoki/LCK..APIlock ls: cannot access '/run/lock/opencryptoki/LCK..APIlock': No such file or directory # ls /run/lock/opencryptoki icsf swtok tpm ``` This file is usualy generated by pkcsslotd service ... and this service is dead ``` # systemctl status pkcsslotd * pkcsslotd.service - Daemon which manages cryptographic hardware tokens for the openCryptoki package Loaded: loaded (/usr/lib/systemd/system/pkcsslotd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start pkcsslotd # systemctl status pkcsslotd * pkcsslotd.service - Daemon which manages cryptographic hardware tokens for the openCryptoki package Loaded: loaded (/usr/lib/systemd/system/pkcsslotd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-08-13 09:25:35 CEST; 1s ago Process: 71344 ExecStart=/usr/sbin/pkcsslotd (code=exited, status=0/SUCCESS) Main PID: 71345 (pkcsslotd) Tasks: 1 (limit: 23448) Memory: 5.6M CGroup: /system.slice/pkcsslotd.service `-71345 /usr/sbin/pkcsslotd Aug 13 09:25:34 identity.microbiome.studio systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package... Aug 13 09:25:35 identity.microbiome.studio systemd[1]: Started Daemon which manages cryptographic hardware tokens for the openCryptoki package. # ls /run/lock/opencryptoki/LCK..APIlock /run/lock/opencryptoki/LCK..APIlock ``` |
|
|
After read this freeipa user lists: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/XFYVC6MUAKYLRIR6H6WM6SD4USLMIG2E/ I removed from /etc/crypto-policies/back-ends/nss.config these two lines: name=p11-kit-proxy library=p11-kit-proxy.so And I downgraded 389-ds-base: dnf downgrade -y 389-ds-base With this I get rid of error: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Ass seen here: ``` # systemctl status pki-tomcatd@pki-tomcat ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-08-13 12:32:13 CEST; 1min 31s ago Process: 11182 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS) Process: 11149 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat (code=exited, status=0/SUCCESS) Process: 11146 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=0/SUCCESS) Main PID: 11273 (java) Tasks: 115 (limit: 23441) Memory: 475.3M CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─11273 /usr/lib/jvm/java-1.8.0-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/shar> août 13 12:32:08 identity.microbiome.studio systemd[1]: Starting PKI Tomcat Server pki-tomcat... août 13 12:32:13 identity.microbiome.studio systemd[1]: Started PKI Tomcat Server pki-tomcat. août 13 12:32:13 identity.microbiome.studio server[11273]: Java virtual machine used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java août 13 12:32:13 identity.microbiome.studio server[1173]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.> août 13 12:32:13 identity.microbiome.studio server[11273]: main class used: org.apache.catalina.startup.Bootstrap août 13 12:32:13 identity.microbiome.studio server[11273]: flags used: -Dcom.redhat.fips=false août 13 12:32:13 identity.microbiome.studio server[11273]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki> août 13 12:32:13 identity.microbiome.studio server[11273]: arguments used: start août 13 12:32:16 identity.microbiome.studio server[11273]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] ``` but the process still fail ``` INFO: Starting server\nDEBUG: Command: systemctl start pki-tomcatd@pki-tomcat.service\nINFO: FIPS mode: False\nINFO: Waiting for CA subsystem to start (1s)\nINFO: Waiting for CA subsystem to start (2s)\nINFO: Waiting for CA subsystem to start (3s)\nINFO: Waiting for CA subsystem to start (4s)\nINFO: Waiting for CA subsystem to start (5s)\nINFO: Waiting for CA subsystem to start (6s)\nINFO: Waiting for CA subsystem to start (7s)\nINFO: Waiting for CA subsystem to start (8s)\nINFO: Waiting for CA subsystem to start (9s)\nINFO: Waiting for CA subsystem to start (10s)\nINFO: Waiting for CA subsystem to start (11s)\nINFO: Waiting for CA subsystem to start (12s)\nINFO: Waiting for CA subsystem to start (13s)\nINFO: Waiting for CA subsystem to start (14s)\nINFO: Waiting for CA subsystem to start (15s)\nINFO: Waiting for CA subsystem to start (16s)\nINFO: Waiting for CA subsystem to start (18s)\nINFO: Waiting for CA subsystem to start (19s)\nINFO: Waiting for CA subsystem to start (20s)\nINFO: Waiting for CA subsystem to start (21s)\nINFO: Waiting for CA subsystem to start (22s)\nINFO: Waiting for CA subsystem to start (23s)\nINFO: Waiting for CA subsystem to start (24s)\nINFO: Waiting for CA subsystem to start (25s)\nINFO: Waiting for CA subsystem to start (26s)\nINFO: Waiting for CA subsystem to start (27s)\nINFO: Waiting for CA subsystem to start (28s)\nINFO: Waiting for CA subsystem to start (29s)\nINFO: Waiting for CA subsystem to start (30s)\nINFO: Waiting for CA subsystem to start (31s)\nINFO: Waiting for CA subsystem to start (32s)\nINFO: Waiting for CA subsystem to start (33s)\nINFO: Waiting for CA subsystem to start (34s)\nINFO: Waiting for CA subsystem to start (35s)\nINFO: Waiting for CA subsystem to start (36s)\nINFO: Waiting for CA subsystem to start (37s)\nINFO: Waiting for CA subsystem to start (38s)\nINFO: Waiting for CA subsystem to start (39s)\nINFO: Waiting for CA subsystem to start (40s)\nINFO: Waiting for CA subsystem to start (41s)\nINFO: Waiting for CA subsystem to start (42s)\nINFO: Waiting for CA subsystem to start (43s)\nINFO: Waiting for CA subsystem to start (44s)\nINFO: Waiting for CA subsystem to start (45s)\nINFO: Waiting for CA subsystem to start (46s)\nINFO: Waiting for CA subsystem to start (47s)\nINFO: Waiting for CA subsystem to start (48s)\nINFO: Waiting for CA subsystem to start (49s)\nINFO: Waiting for CA subsystem to start (50s)\nINFO: Waiting for CA subsystem to start (51s)\nINFO: Waiting for CA subsystem to start (52s)\nINFO: Waiting for CA subsystem to start (53s)\nINFO: Waiting for CA subsystem to start (54s)\nINFO: Waiting for CA subsystem to start (55s)\nINFO: Waiting for CA subsystem to start (56s)\nINFO: Waiting for CA subsystem to start (57s)\nINFO: Waiting for CA subsystem to start (58s)\nINFO: Waiting for CA subsystem to start (60s)\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 965, in spawn\n request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n (subsystem.type, startup_timeout)) from exc\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ``` |
- Anonymous
