Installation does not work

joerg.giencke · January 9, 2020, 12:08pm

Hi, I’m trying to install PrivacyIdea on a machine where Apache and MySQL are already installed. I’ve done that before on other machines and it worked well. The only difference being that I installed PrivacyIdea 2.x, now it’s 3.x.

Anyway, this is what happens:

root@ubuntu:~# apt install privacyidea-apache2
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  libapache2-mod-wsgi-py3 mysql-client privacyidea
Die folgenden NEUEN Pakete werden installiert:
  libapache2-mod-wsgi-py3 mysql-client privacyidea privacyidea-apache2
0 aktualisiert, 4 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen noch 0 B von 26,3 MB an Archiven heruntergeladen werden.
Nach dieser Operation werden 122 MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] j
Vormals nicht ausgewähltes Paket privacyidea wird gewählt.
(Lese Datenbank ... 112317 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../privacyidea_3.2.1-1bionic_amd64.deb ...
Entpacken von privacyidea (3.2.1-1bionic) ...
Vormals nicht ausgewähltes Paket libapache2-mod-wsgi-py3 wird gewählt.
Vorbereitung zum Entpacken von .../libapache2-mod-wsgi-py3_4.5.17-1_amd64.deb ...
Entpacken von libapache2-mod-wsgi-py3 (4.5.17-1) ...
Vormals nicht ausgewähltes Paket mysql-client wird gewählt.
Vorbereitung zum Entpacken von .../mysql-client_5.7.28-0ubuntu0.18.04.4_all.deb ...
Entpacken von mysql-client (5.7.28-0ubuntu0.18.04.4) ...
Vormals nicht ausgewähltes Paket privacyidea-apache2 wird gewählt.
Vorbereitung zum Entpacken von .../privacyidea-apache2_3.2.1-1bionic_all.deb ...
Entpacken von privacyidea-apache2 (3.2.1-1bionic) ...
privacyidea (3.2.1-1bionic) wird eingerichtet ...
mysql-client (5.7.28-0ubuntu0.18.04.4) wird eingerichtet ...
libapache2-mod-wsgi-py3 (4.5.17-1) wird eingerichtet ...
apache2_invoke: Enable module wsgi
privacyidea-apache2 (3.2.1-1bionic) wird eingerichtet ...
grep: /etc/privacyidea/pi.cfg: Datei oder Verzeichnis nicht gefunden
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1819 (HY000) at line 1: Your password does not satisfy the current policy requirements
dpkg: Fehler beim Bearbeiten des Paketes privacyidea-apache2 (--configure):
 Unterprozess installiertes privacyidea-apache2-Skript des Paketes post-installation gab den Fehler-Ausgangsstatus 1 zurück
Trigger für libc-bin (2.27-3ubuntu1) werden verarbeitet ...
Fehler traten auf beim Bearbeiten von:
 privacyidea-apache2
E: Sub-process /usr/bin/dpkg returned an error code (1)

That’s it. Okay, up to that point database user pi and database pi have been created; /etc/privacyidea/CA and /etc/privacyidea/pi.cfg (with pepper and key) have been created, /opt/privacyidea (with tons of content) has been created and user privacyidea has been created.

Then I changed MySQL’s password policy and tried again:

root@ubuntu:~# apt upgrade privacyidea-apache2
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
privacyidea-apache2 ist schon die neueste Version (3.2.1-1bionic).
Paketaktualisierung (Upgrade) wird berechnet... Fertig
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
1 nicht vollständig installiert oder entfernt.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] j
privacyidea-apache2 (3.2.1-1bionic) wird eingerichtet ...
useradd: user 'privacyidea' already exists
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1007 (HY000) at line 1: Can't create database 'pi'; database exists
mysql: [Warning] Using a password on the command line interface can be insecure.
Module wsgi already enabled
Module headers already enabled
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
ERROR: Site privacyidea does not exist!
dpkg: Fehler beim Bearbeiten des Paketes privacyidea-apache2 (--configure):
 Unterprozess installiertes privacyidea-apache2-Skript des Paketes post-installation gab den Fehler-Ausgangsstatus 1 zurück
Fehler traten auf beim Bearbeiten von:
 privacyidea-apache2
E: Sub-process /usr/bin/dpkg returned an error code (1)

Stuck again, a little bit further down the road. I’m running out of ideas. Especially “ERROR: Site privacyidea does not exist!” doesn’t make any sense to me since the installation routine is supposed to create and enable privacyidea.conf.

Any help ist higly appreciated.

cornelinux · January 9, 2020, 4:52pm

This should not happen.

joerg.giencke · January 9, 2020, 5:51pm

Well, obviously.
Question is why it’s happening?

cornelinux · January 9, 2020, 6:15pm

Never seen this before. I can not know.
Maybe s.o.else.

plettich · January 10, 2020, 2:50pm

It seems like somewhere between the install steps, some files were deleted (maybe some kind of rollback due to the failure?). The files (/etc/privacyidea/pi.cfg and /etc/apache2/sites-available/privacyidea.conf) should be copied there during the first step of the installation.
Maybe purging and reinstalling the privacyidea-apache2-package helps.

joerg.giencke · January 11, 2020, 7:26am

Thanks for the reply.
I did ‘app remove’, ‘app autoremove’, deleted the database user and schema, deleted user privacyidea and /etc/privacyidea and cleaned up /etc/ssl.
Did not help. Maybe I forgot something on the way to a clean install?

cornelinux · January 11, 2020, 7:30am

@joerg.giencke We do not know the specialities of your system, so we can not guess. You may understand that we only have a limited time and investing a lot of time and asking a lot of questions is beyond this forum. After all this is why NetKnights also provides professional support (again - I wrote to may words

Take a look at the postinstall-script, which may help you with the knowledge of your system to track this down.

github.com

NetKnights-GmbH/ubuntu/blob/master/debian_server/privacyidea-apache2.postinst#L76


        CERT=/etc/ssl/certs/privacyideaserver.pem
        openssl genrsa -out $KEY $CERTKEYSIZE
        openssl req -new -key $KEY -out $CSR -subj "/CN=`hostname`"
        openssl x509 -req -days $CERTDAYS -in $CSR -signkey $KEY -out $CERT
        rm -f $CSR
        chmod 400 $KEY
fi
}


adapt_pi_cfg() {
	if [ -z "$(grep '^PI_PEPPER' /etc/privacyidea/pi.cfg)" ]; then
	    # PEPPER does not exist, yet
	    PEPPER="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
	    echo "PI_PEPPER = '$PEPPER'" >> /etc/privacyidea/pi.cfg
	fi
	if [ -z "$(grep '^SECRET_KEY' /etc/privacyidea/pi.cfg)" ]; then
	    # SECRET_KEY does not exist, yet
	    SECRET="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
	    echo "SECRET_KEY = '$SECRET'" >> /etc/privacyidea/pi.cfg
	fi
	if [ -n "$(grep '^SQLALCHEMY_DATABASE_URI\s*=\s*.mysql:.*$' /etc/privacyidea/pi.cfg)" ]; then

There are a few occurencces in the postinstall, where the pi.cfg gets modified. Most of the time, things are appended. In one case the sed is used to modify the file. You should ask yourself questions like:

Are the problems with right access
- could the process, that is installing the package have missing write access
Could the sed break and leave and empty file
How can a file, that is definitvely shipped with the deb package disappear on my system

Please understand, that this is poking in the dark for us and guessing. In other cases we would most probably do a remote on the system and try to understand, what is not right with the system.

After all you also have another possibility. You said you are already running apache. So you most probably do not want to have privacyidea-apache2 modify your apache config.
You can simply install only privacyidea and do the configuration manually.