FreeIPA server installation fails at pki-tomcatd start on alinux2

Hi there

I come from China I'm trying to install FreeIPA on a fresh Amazon Linux 2 instance (Amazon Linux 2 AMI (HVM) - Kernel 4.14, SSD Volume Type) I have the exact same problem as in this link: https://forums.aws.amazon.com/thread.jspa?messageID=997191&tstart=0 Hope to get an answer,Thanks!

I'm trying to install FreeIPA on a fresh Amazon Linux 2 instance (ami-087c17d1fe0178315), reproducing steps that were successful a few months ago, but the installation fails during pki-tomcat setup. Details below, but a very similar bug is described here: https://bodhi.stg.fedoraproject.org/updates/FEDORA-2021-e55a8d7545

Has anyone found a workaround for this? Or do the RPMs in alinux2 need to be updated?

Details:

Configure Route53 for group-ipa.groupdev.local, ipa-ca.groupdev.local to resolve to instance's IP address.

hostnamectl set-hostname group-ipa.groupdev.local yum update -y yum install freeipa-server ipa-server-install ... enter config info ... ... installation proceeds for quite a while, then ... Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 1/30: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLuET89' returned non-zero exit status 1 ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat error RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

pkispawn logs note a connecton failure after: 2021-10-04 16:36:50 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2021-10-04 16:36:50 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service'

and the pki-tomcatd logs suggest an authentication problem between tomcat and the LDAP server: $ journalctl -u pki-tomcatd@pki-tomcat.service ... Oct 04 13:54:10 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore() begins Oct 04 13:54:10 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore(): tag=internaldb Oct 04 13:54:10 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389 Oct 04 13:54:11 group-ipa.groupdev.local server: CMSEngine.initializePasswordStore(): tag=replicationdb Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389 Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389 Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection connecting to group-ipa.groupdev.local:389 Oct 04 13:54:11 group-ipa.groupdev.local server: testLDAPConnection: Invalid Password Oct 04 13:54:11 group-ipa.groupdev.local server: CMSEngine: init(): password test execution failed: 2 Oct 04 13:54:11 group-ipa.groupdev.local server: Password test execution failed. Is the database up? Oct 04 13:54:11 group-ipa.groupdev.local server: Password test execution failed. Is the database up? Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cmscore.apps.CMSEngine.initializePasswordStore(CMSEngine.java:467) Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:535) Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.certsrv.apps.CMS.init(CMS.java:191) Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1458) Oct 04 13:54:11 group-ipa.groupdev.local server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)

/var/log/dirsrv/slapd-GROUPDEV-LOCAL/access shows the successful bind for cn=Directory Manager, then three "Entry does not exist" results for "cn=Replication Manager mas ter Agreement1-...", which appear to be interpreted as "Invalid Password" on tomcat's side.