#2794 ipa-server-install does not fill the default value for --subject option and it crashes later.
Closed: Invalid None Opened 9 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=827321 (Red Hat Enterprise Linux 6)

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt
--external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r
TESTRELM.COM -P Secret123


Actual results:
[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install
--external_cert_file=/root/ipa-ca/ipa.crt
--external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r
TESTRELM.COM

The log file for this installation can be found in
/var/log/ipaserver-install.log
Unexpected error - see ipaserver-install.log for details:
 must be str,unicode,tuple, or RDN, got NoneType instead
[root@qe-blade-06 ipa-external-ca]#


Expected results: Installation should be successful.


Additional info:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
2012-05-31T09:36:04Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG /usr/sbin/ipa-server-install was invoked with
options: {'zone_refresh': 30, 'reverse_zone': None, 'realm_name': None,
'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': True, 'subject': None,
'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0,
'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended':
False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file':
'/root/ipa-ca/ipacacert.asc', 'no_host_dns': False, 'http_pkcs12': None,
'forwarders': None, 'idstart': 1463800000, 'external_ca': False, 'ip_address':
None, 'conf_ssh': False, 'zonemgr': None, 'setup_dns': False, 'host_name':
None, 'debug': False, 'external_cert_file': '/root/ipa-ca/ipa.crt',
'uninstall': False}
2012-05-31T09:36:04Z DEBUG missing options might be asked for interactively
later

2012-05-31T09:36:04Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG must be str,unicode,tuple, or RDN, got NoneType
instead
  File "/usr/sbin/ipa-server-install", line 1091, in <module>
    rval = main()

  File "/usr/sbin/ipa-server-install", line 607, in main
    wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject))

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1064, in __init__
    self.rdns = self._rdns_from_sequence(args)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1106, in
_rdns_from_sequence
    rdn = self._rdn_from_value(item)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1100, in
_rdn_from_value
    value.__class__.__name__)

2012-05-31T09:36:04Z DEBUG Restoring system configuration file '/etc/hosts'
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#



#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
Work-around is to pass --subject "O=TESTRELM.COM" to command in step 1.

[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install
--external_cert_file=/root/ipa-ca/ipa.crt
--external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r
TESTRELM.COM  --subject "O=TESTRELM.COM"

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Warning: Hostname (qe-blade-06.testrelm.com) not found in DNS
The domain name has been calculated based on the host name.


The IPA Master Server will be configured with:
...
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

I could no longer reproduce this issue with IPA 3.0.0 Beta 1:

# ipa-server-install -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM --setup-dns --forwarder=10.0.0.1 --external-ca -U
...
  [2/4]: creating pki-ca instance
  [3/4]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate


# ipa-server-install --external_cert_file=/home/mkosek/cadb_f15/ipa.crt --external_ca_file=/home/mkosek/cadb_f15/external-ca.crt -U -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM

The log file for this installation can be found in /var/log/ipaserver-install.log
Directory Manager password:

==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host vm-086.idm.lab.bos.redhat.com
Using reverse zone 78.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      vm-086.idm.lab.bos.redhat.com
IP address:    10.16.78.86
Domain name:   idm.lab.bos.redhat.com
Realm name:    IDM.LAB.BOS.REDHAT.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.0.0.1
Reverse zone:  78.16.10.in-addr.arpa.

Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
  [3/19]: disabling nonces
  [4/19]: creating CA agent PKCS#12 file in /root
  [5/19]: creating RA agent certificate database
  [6/19]: importing CA chain to RA certificate database
  [7/19]: fixing RA database permissions
  [8/19]: setting up signing cert profile
  [9/19]: set up CRL publishing
  [10/19]: set certificate subject base
  [11/19]: enabling Subject Key Identifier
  [12/19]: configuring certificate server to start on boot
  [13/19]: restarting certificate server
  [14/19]: requesting RA certificate from CA
  [15/19]: issuing RA agent certificate
  [16/19]: adding RA agent as a trusted user
  [17/19]: configure certificate renewals
  [18/19]: configure Server-Cert certificate renewal
  [19/19]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/36]: creating directory server user
  [2/36]: creating directory server instance
  [3/36]: adding default schema
  [4/36]: enabling memberof plugin
  [5/36]: enabling referential integrity plugin
  [6/36]: enabling winsync plugin
  [7/36]: configuring replication version plugin
  [8/36]: enabling IPA enrollment plugin
  [9/36]: enabling ldapi
  [10/36]: configuring uniqueness plugin
  [11/36]: configuring uuid plugin
  [12/36]: configuring modrdn plugin
  [13/36]: enabling entryUSN plugin
  [14/36]: configuring lockout plugin
  [15/36]: creating indices
  [16/36]: configuring ssl for ds instance
  [17/36]: configuring certmap.conf
  [18/36]: configure autobind for root
  [19/36]: configure new location for managed entries
  [20/36]: restarting directory server
  [21/36]: adding default layout
  [22/36]: adding delegation layout
  [23/36]: adding replication acis
  [24/36]: creating container for managed entries
  [25/36]: configuring user private groups
  [26/36]: configuring netgroups from hostgroups
  [27/36]: creating default Sudo bind user
  [28/36]: creating default Auto Member layout
  [29/36]: adding range check plugin
  [30/36]: creating default HBAC rule allow_all
  [31/36]: initializing group membership
  [32/36]: adding master entry
  [33/36]: configuring Posix uid/gid generation
  [34/36]: enabling compatibility plugin
  [35/36]: tuning directory server
  [36/36]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Installation with custom --subject passed in the first stage installation worked as well and the subject was used in the IPA (see cert-show command in the end of this output):

# ipa-server-install -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM --setup-dns --forwarder=10.0.0.1 --external-ca --subject=O=FooBar -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host vm-055.idm.lab.bos.redhat.com
The domain name has been determined based on the host name.

Using reverse zone 78.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      vm-055.idm.lab.bos.redhat.com
IP address:    10.16.78.55
Domain name:   idm.lab.bos.redhat.com
Realm name:    IDM.LAB.BOS.REDHAT.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.16.255.2
Reverse zone:  78.16.10.in-addr.arpa.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/4]: creating certificate server user
  [2/4]: creating pki-ca instance
  [3/4]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate

# ipa-server-install --external_cert_file=/home/mkosek/cadb_f15/ipa.crt --external_ca_file=/home/mkosek/cadb_f15/external-ca.crt -U -p secret123 -a secret123 -r IDM.LAB.BOS.REDHAT.COM

The log file for this installation can be found in /var/log/ipaserver-install.log
Directory Manager password:

==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host vm-055.idm.lab.bos.redhat.com
Using reverse zone 78.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      vm-055.idm.lab.bos.redhat.com
IP address:    10.16.78.55
Domain name:   idm.lab.bos.redhat.com
Realm name:    IDM.LAB.BOS.REDHAT.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.16.255.2
Reverse zone:  78.16.10.in-addr.arpa.

Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
  [3/19]: disabling nonces
  [4/19]: creating CA agent PKCS#12 file in /root
  [5/19]: creating RA agent certificate database
  [6/19]: importing CA chain to RA certificate database
  [7/19]: fixing RA database permissions
  [8/19]: setting up signing cert profile
  [9/19]: set up CRL publishing
  [10/19]: set certificate subject base
  [11/19]: enabling Subject Key Identifier
  [12/19]: configuring certificate server to start on boot
  [13/19]: restarting certificate server
  [14/19]: requesting RA certificate from CA
  [15/19]: issuing RA agent certificate
  [16/19]: adding RA agent as a trusted user
  [17/19]: configure certificate renewals
  [18/19]: configure Server-Cert certificate renewal
  [19/19]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/36]: creating directory server user
  [2/36]: creating directory server instance
  [3/36]: adding default schema
  [4/36]: enabling memberof plugin
  [5/36]: enabling referential integrity plugin
  [6/36]: enabling winsync plugin
  [7/36]: configuring replication version plugin
  [8/36]: enabling IPA enrollment plugin
  [9/36]: enabling ldapi
  [10/36]: configuring uniqueness plugin
  [11/36]: configuring uuid plugin
  [12/36]: configuring modrdn plugin
  [13/36]: enabling entryUSN plugin
  [14/36]: configuring lockout plugin
  [15/36]: creating indices
  [16/36]: configuring ssl for ds instance
  [17/36]: configuring certmap.conf
  [18/36]: configure autobind for root
  [19/36]: configure new location for managed entries
  [20/36]: restarting directory server
  [21/36]: adding default layout
  [22/36]: adding delegation layout
  [23/36]: adding replication acis
  [24/36]: creating container for managed entries
  [25/36]: configuring user private groups
  [26/36]: configuring netgroups from hostgroups
  [27/36]: creating default Sudo bind user
  [28/36]: creating default Auto Member layout
  [29/36]: adding range check plugin
  [30/36]: creating default HBAC rule allow_all
  [31/36]: initializing group membership
  [32/36]: adding master entry
  [33/36]: configuring Posix uid/gid generation
  [34/36]: enabling compatibility plugin
  [35/36]: tuning directory server
  [36/36]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
# kinit admin
Password for admin@IDM.LAB.BOS.REDHAT.COM: 
# ipa cert-show 2
  Certificate: MIIDfDCCAmS...CnAUJOPyDUrQcQ=
  Subject: CN=vm-055.idm.lab.bos.redhat.com,O=FooBar    <<<<<
  Issuer: CN=Certificate Authority,O=FooBar
  Not Before: Fri Aug 17 08:09:11 2012 UTC
  Not After: Thu Aug 07 08:09:11 2014 UTC
  Fingerprint (MD5): 0a:98:ea:d3:8d:58:12:a9:25:bf:43:36:5e:e4:5b:82
  Fingerprint (SHA1): fa:f9:a5:76:f6:62:70:b7:0c:99:3d:5b:98:ef:85:b8:ea:c5:85:3e
  Serial number (hex): 0x2
  Serial number: 2

Moving closed RC1 tickets to Beta 3.

Metadata Update from @dpal:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 Beta 3

5 years ago

Login to comment on this ticket.

Metadata