fichte
commented
8 months ago - without trailing slash this directory will not be created
- CA creation fails without this directory
Closed fichte closed 8 months ago
fichte
commented
8 months ago 
adelton
commented
8 months ago The problem that you see is https://bugzilla.redhat.com/show_bug.cgi?id=2265995 and https://issues.redhat.com/browse/RHEL-20465, currently manifested on Fedora rawhide and CentOS 9 Stream.
In the normal scenario, that (/data)/etc/pki/pki-tomcat directory gets created by the PKI component when it is first being configured, except in latest versions the component ignores the configuration to use the locations under /data.
I'm hesitant to use this workaround because I have no idea what other side effects that pre-created directory might have.
fichte
commented
8 months ago The problem that you see is https://bugzilla.redhat.com/show_bug.cgi?id=2265995 and https://issues.redhat.com/browse/RHEL-20465, currently manifested on Fedora rawhide and CentOS 9 Stream.
In the normal scenario, that
(/data)/etc/pki/pki-tomcatdirectory gets created by the PKI component when it is first being configured, except in latest versions the component ignores the configuration to use the locations under/data.I'm hesitant to use this workaround because I have no idea what other side effects that pre-created directory might have.
valid point, but in ipa-server-configure-first you find a
grep '/$' /etc/volume-data-list | sed 's!^!.!' | xargs mkdir -pall directories there have a trailing slash except /etc/pki/pki-tomcat
why is /etc/pki/pki-tomcat in volume-data-list without a trailing slash.
adelton
commented
8 months ago Because we explicitly want the directory to be created by the PKI setup which will take care of permissions as well, among other things.
For example on CentOS 8 Stream the change will cause
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
pki-tomcatd@pki-tomcat.service loaded failed failed PKI Tomcat Server pki-tomcat
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/pki-tomcatd@.service.d
└─nokeyring.conf
Active: failed (Result: exit-code) since Mon 2024-03-11 16:02:57 UTC; 453ms ago
Process: 854 ExecStartPre=/usr/sbin/pki-server migrate pki-tomcat (code=exited, status=1/FAILURE)
Process: 852 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=0/SUCCESS)
Mar 11 16:02:57 ipa.example.test pki-server[855]: File "/usr/lib/python3.6/site-packages/pki/server/instance.py", line 840, in init
Mar 11 16:02:57 ipa.example.test pki-server[855]: super(PKIInstance, self).init()
Mar 11 16:02:57 ipa.example.test pki-server[855]: File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 331, in init
Mar 11 16:02:57 ipa.example.test pki-server[855]: self.create_catalina_policy()
Mar 11 16:02:57 ipa.example.test pki-server[855]: File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 321, in create_catalina_policy
Mar 11 16:02:57 ipa.example.test pki-server[855]: with open(filename, 'w') as f:
Mar 11 16:02:57 ipa.example.test pki-server[855]: PermissionError: [Errno 13] Permission denied: '/etc/pki/pki-tomcat/catalina.policy'
Mar 11 16:02:57 ipa.example.test systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1
Mar 11 16:02:57 ipa.example.test systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
Mar 11 16:02:57 ipa.example.test systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.