#2796 ipa-server-install does not always record that pkicreate has been executed
Closed: Fixed None Opened 7 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=826731 (Red Hat Enterprise Linux 6)

I've cleaned certmonger files in /var/lib/certmonger/, nss.conf, password.conf
in apache. sysrestore files in /var/lib/ipa/ are clean.

[root@hogofogo ~]# ipa-server-install

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [hogofogo.brq.redhat.com]:

The domain name has been calculated based on the host name.

Please confirm the domain name [brq.redhat.com]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.


Please provide a realm name [BRQ.REDHAT.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):


The IPA Master Server will be configured with:
Hostname:      hogofogo.brq.redhat.com
IP address:    10.34.24.28
Domain name:   brq.redhat.com
Realm name:    BRQ.REDHAT.COM


Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname hogofogo.brq.redhat.com -cs_port
9445 -client_certdb_dir /tmp/tmp-SQUnUX -client_certdb_pwd XXXXXXXX -preop_pin
icm2r2Dc52G1g9uVRrhB -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=BRQ.REDHAT.COM -ldap_host hogofogo.brq.redhat.com -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=BRQ.REDHAT.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=BRQ.REDHAT.COM
-ca_server_cert_subject_name CN=hogofogo.brq.redhat.com,O=BRQ.REDHAT.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=BRQ.REDHAT.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=BRQ.REDHAT.COM -external
false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed





log file:
2012-05-30T20:31:55Z DEBUG stderr=
2012-05-30T20:31:55Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
hogofogo.brq.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-SQUnUX
-client_certdb_pwd XXXXXXXX -preop_pin icm2r2Dc52G1g9uVRrhB -domain_name IPA
-admin_user admin -admin_email root@localhost -admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=BRQ.REDHAT.COM -ldap_host
hogofogo.brq.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager
-bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
-subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name
CN=CA Subsystem,O=BRQ.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=BRQ.REDHAT.COM -ca_server_cert_subject_name
CN=hogofogo.brq.redhat.com,O=BRQ.REDHAT.COM -ca_audit_signing_cert_subject_name
CN=CA Audit,O=BRQ.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate
Authority,O=BRQ.REDHAT.COM -external false -clone false' returned non-zero exit
status 255
2012-05-30T20:31:55Z DEBUG Configuration of CA failed
  File "/usr/sbin/ipa-server-install", line 1091, in <module>
    rval = main()

  File "/usr/sbin/ipa-server-install", line 878, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
531, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
257, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
667, in __configure_instance
    raise RuntimeError('Configuration of CA failed')




ipa-server-2.2.0-16.el6.x86_64

If tomcat does not start and the CA installation fails very early then the fact that the CA was created is not record. This will cause all subsequent uninstalls to not call pkiremove to remove the instance and basically leave the system uninstallable.

Changing 3.2 priority

Moving to the same bucket as the duplicate ticket #3784.

3.4 development was shifted for one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Moving stabilization tickets that do not affect FreeIPA 4.0 release usability in any significant way to 4.0.1 stabilization milestone.

As said in bz953488, this bug was fixed by forbidding set of characters for use in password. Since then majority of forbidden characters is no longer causing trouble.

I do not see this ticket as fixed, see reasoning in my initial response:

http://www.redhat.com/archives/freeipa-devel/2014-July/msg00267.html

Posting a patch for review doesn't mean the work is done :)

I was unable to reproduce the bug and found in bugzilla that the failures was caused by some characters in password. So I thought the bug was fixed already.
Now I've used advice from Martin's email and (hopefully) found and fixed the bug.

master:

  • 41b057e Always record that pkicreate has been executed.

ipa-4-1:

  • 41b057e Always record that pkicreate has been executed.

ipa-4-0:

  • 41b057e Always record that pkicreate has been executed.

This now fixes the root cause and warrants closing the ticket (David's admin password validator can be pushed later of course).

Metadata Update from @dpal:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.0.1

2 years ago

Login to comment on this ticket.

Metadata