https://bugzilla.redhat.com/show_bug.cgi?id=827321 (Red Hat Enterprise Linux 6)
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM -P Secret123 Actual results: [root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM The log file for this installation can be found in /var/log/ipaserver-install.log Unexpected error - see ipaserver-install.log for details: must be str,unicode,tuple, or RDN, got NoneType instead [root@qe-blade-06 ipa-external-ca]# Expected results: Installation should be successful. Additional info: #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# 2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-05-31T09:36:04Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 30, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': '/root/ipa-ca/ipacacert.asc', 'no_host_dns': False, 'http_pkcs12': None, 'forwarders': None, 'idstart': 1463800000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': '/root/ipa-ca/ipa.crt', 'uninstall': False} 2012-05-31T09:36:04Z DEBUG missing options might be asked for interactively later 2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2012-05-31T09:36:04Z DEBUG must be str,unicode,tuple, or RDN, got NoneType instead File "/usr/sbin/ipa-server-install", line 1091, in <module> rval = main() File "/usr/sbin/ipa-server-install", line 607, in main wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject)) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1064, in __init__ self.rdns = self._rdns_from_sequence(args) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1106, in _rdns_from_sequence rdn = self._rdn_from_value(item) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1100, in _rdn_from_value value.__class__.__name__) 2012-05-31T09:36:04Z DEBUG Restoring system configuration file '/etc/hosts' #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# Work-around is to pass --subject "O=TESTRELM.COM" to command in step 1. [root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM --subject "O=TESTRELM.COM" The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Warning: Hostname (qe-blade-06.testrelm.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with: ... #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
Bugzilla link fixed.
I could no longer reproduce this issue with IPA 3.0.0 Beta 1:
# ipa-server-install -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM --setup-dns --forwarder=10.0.0.1 --external-ca -U ... [2/4]: creating pki-ca instance [3/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate # ipa-server-install --external_cert_file=/home/mkosek/cadb_f15/ipa.crt --external_ca_file=/home/mkosek/cadb_f15/external-ca.crt -U -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host vm-086.idm.lab.bos.redhat.com Using reverse zone 78.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm-086.idm.lab.bos.redhat.com IP address: 10.16.78.86 Domain name: idm.lab.bos.redhat.com Realm name: IDM.LAB.BOS.REDHAT.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.0.0.1 Reverse zone: 78.16.10.in-addr.arpa. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance [3/19]: disabling nonces [4/19]: creating CA agent PKCS#12 file in /root [5/19]: creating RA agent certificate database [6/19]: importing CA chain to RA certificate database [7/19]: fixing RA database permissions [8/19]: setting up signing cert profile [9/19]: set up CRL publishing [10/19]: set certificate subject base [11/19]: enabling Subject Key Identifier [12/19]: configuring certificate server to start on boot [13/19]: restarting certificate server [14/19]: requesting RA certificate from CA [15/19]: issuing RA agent certificate [16/19]: adding RA agent as a trusted user [17/19]: configure certificate renewals [18/19]: configure Server-Cert certificate renewal [19/19]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/36]: creating directory server user [2/36]: creating directory server instance [3/36]: adding default schema [4/36]: enabling memberof plugin [5/36]: enabling referential integrity plugin [6/36]: enabling winsync plugin [7/36]: configuring replication version plugin [8/36]: enabling IPA enrollment plugin [9/36]: enabling ldapi [10/36]: configuring uniqueness plugin [11/36]: configuring uuid plugin [12/36]: configuring modrdn plugin [13/36]: enabling entryUSN plugin [14/36]: configuring lockout plugin [15/36]: creating indices [16/36]: configuring ssl for ds instance [17/36]: configuring certmap.conf [18/36]: configure autobind for root [19/36]: configure new location for managed entries [20/36]: restarting directory server [21/36]: adding default layout [22/36]: adding delegation layout [23/36]: adding replication acis [24/36]: creating container for managed entries [25/36]: configuring user private groups [26/36]: configuring netgroups from hostgroups [27/36]: creating default Sudo bind user [28/36]: creating default Auto Member layout [29/36]: adding range check plugin [30/36]: creating default HBAC rule allow_all [31/36]: initializing group membership [32/36]: adding master entry [33/36]: configuring Posix uid/gid generation [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Installation with custom --subject passed in the first stage installation worked as well and the subject was used in the IPA (see cert-show command in the end of this output):
--subject
# ipa-server-install -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM --setup-dns --forwarder=10.0.0.1 --external-ca --subject=O=FooBar -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host vm-055.idm.lab.bos.redhat.com The domain name has been determined based on the host name. Using reverse zone 78.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm-055.idm.lab.bos.redhat.com IP address: 10.16.78.55 Domain name: idm.lab.bos.redhat.com Realm name: IDM.LAB.BOS.REDHAT.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.16.255.2 Reverse zone: 78.16.10.in-addr.arpa. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate # ipa-server-install --external_cert_file=/home/mkosek/cadb_f15/ipa.crt --external_ca_file=/home/mkosek/cadb_f15/external-ca.crt -U -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host vm-055.idm.lab.bos.redhat.com Using reverse zone 78.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm-055.idm.lab.bos.redhat.com IP address: 10.16.78.55 Domain name: idm.lab.bos.redhat.com Realm name: IDM.LAB.BOS.REDHAT.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.16.255.2 Reverse zone: 78.16.10.in-addr.arpa. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance [3/19]: disabling nonces [4/19]: creating CA agent PKCS#12 file in /root [5/19]: creating RA agent certificate database [6/19]: importing CA chain to RA certificate database [7/19]: fixing RA database permissions [8/19]: setting up signing cert profile [9/19]: set up CRL publishing [10/19]: set certificate subject base [11/19]: enabling Subject Key Identifier [12/19]: configuring certificate server to start on boot [13/19]: restarting certificate server [14/19]: requesting RA certificate from CA [15/19]: issuing RA agent certificate [16/19]: adding RA agent as a trusted user [17/19]: configure certificate renewals [18/19]: configure Server-Cert certificate renewal [19/19]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/36]: creating directory server user [2/36]: creating directory server instance [3/36]: adding default schema [4/36]: enabling memberof plugin [5/36]: enabling referential integrity plugin [6/36]: enabling winsync plugin [7/36]: configuring replication version plugin [8/36]: enabling IPA enrollment plugin [9/36]: enabling ldapi [10/36]: configuring uniqueness plugin [11/36]: configuring uuid plugin [12/36]: configuring modrdn plugin [13/36]: enabling entryUSN plugin [14/36]: configuring lockout plugin [15/36]: creating indices [16/36]: configuring ssl for ds instance [17/36]: configuring certmap.conf [18/36]: configure autobind for root [19/36]: configure new location for managed entries [20/36]: restarting directory server [21/36]: adding default layout [22/36]: adding delegation layout [23/36]: adding replication acis [24/36]: creating container for managed entries [25/36]: configuring user private groups [26/36]: configuring netgroups from hostgroups [27/36]: creating default Sudo bind user [28/36]: creating default Auto Member layout [29/36]: adding range check plugin [30/36]: creating default HBAC rule allow_all [31/36]: initializing group membership [32/36]: adding master entry [33/36]: configuring Posix uid/gid generation [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # kinit admin Password for admin@IDM.LAB.BOS.REDHAT.COM: # ipa cert-show 2 Certificate: MIIDfDCCAmS...CnAUJOPyDUrQcQ= Subject: CN=vm-055.idm.lab.bos.redhat.com,O=FooBar <<<<< Issuer: CN=Certificate Authority,O=FooBar Not Before: Fri Aug 17 08:09:11 2012 UTC Not After: Thu Aug 07 08:09:11 2014 UTC Fingerprint (MD5): 0a:98:ea:d3:8d:58:12:a9:25:bf:43:36:5e:e4:5b:82 Fingerprint (SHA1): fa:f9:a5:76:f6:62:70:b7:0c:99:3d:5b:98:ef:85:b8:ea:c5:85:3e Serial number (hex): 0x2 Serial number: 2
Moving closed RC1 tickets to Beta 3.
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Beta 3
Login to comment on this ticket.