FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#1621 server installation crashes on "Issuing RA agent certificate"

Created 5 years ago by ohamada
Modified 24 days ago

Installation crashes when running:

ipa-server-install -p a -a a

Installation output:

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: configuring certificate server instance
  [4/16]: disabling nonces
  [5/16]: creating CA agent PKCS#12 file in /root
  [6/16]: creating RA agent certificate database
  [7/16]: importing CA chain to RA certificate database
  [8/16]: fixing RA database permissions
  [9/16]: setting up signing cert profile
  [10/16]: set up CRL publishing
  [11/16]: set certificate subject base
  [12/16]: configuring certificate server to start on boot
  [13/16]: restarting certificate server
  [14/16]: requesting RA certificate from CA
  [15/16]: issuing RA agent certificate
Unexpected error - see ipaserver-install.log for details:

System used: Fedora 15 x86_64

ipaserver-install.log attached

Replying to [ticket:1621 ohamada]:

Problem seems to be related to the length of Directory Manager(DM) password. For DM's password length >= 2 didn't appear again.

In that case, re-qualifying as minor priority.

Are there any additional requirements towards the password complexity other than 8 letters minimum length?

I don't believe so. If we add code to enforce better complexity we're sure to get an RFE asking for that to be configurable. And then for that configuration to be the default in IPA. Certainly doable but I think it would be a separate ticket.

Filed RFE ticket 1683 for additional complexity.

master: cc7f9aa

ipa-2-1: 48eb95c

24 days ago

Metadata Update from @ohamada:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 2.1.1 (bug fixing)

Login to comment on this ticket.