Hey,

Trying to do a test installation of a FreeIPA server on Ubuntu 18.04.
It fails setting up the certificate server (pki-tomcatd).

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: 
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmp5ejwx5'] returned non-zero exit status 1: u"pkispawn    : ERROR    
....... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn    
: ERROR    ........... server did not start after 60s\npkispawn    : ERROR    
....... server failed to restart\n")
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the 
following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR    CA configuration failed.
ipapython.admintool: ERROR    The ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

The failing command is: sysctl crypto.fips_enabled -bn
On my system there is no /proc/sys/crypto.

BTW. I'm installing in a LXC container, the host is Ubuntu 16.04.
That should not matter, because none of my Ubuntu systems (16.04 and 18.04)
have /proc/sys/crypto.

The problem seems to be in pki/server/deployment/pkihelper.py
When the sysctl commands fails due to a missing /proc/sys/crypto/fips_enabled 
or even /proc/sys/crypto
it raises an exception.

Notice that there is a ipaplatform with is_fips_enabled. Shouldn't that be
used in pkihelper.py ?
-- 
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to