#3758 ipa-client-install : bad error message regarding ca.crt
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 978564

Description of problem:
When run ipa-client-install, it outputs bad error message when IPA Master has
bad /usr/share/ipa/html/ca.crt file.


Version-Release number of selected component (if applicable):
IPA master: ipa-server-selinux-3.0.0-25.el6.i686 (release build in rhel6.4)
IPA client build:
(1) ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4)
(2) ipa-client-2.1.3-6.el5 (testing build in rhel5.10)

How reproducible: always


Steps to Reproduce:
1. [On IPA Master] install ipa master, use official released build on rhel6.4:
ipa-server-selinux-3.0.0-25
2. [On IPA Master] create a bad /usr/share/ipa/html/ca.crt file
echo "i am bad" > /usr/share/ipa/html/ca.crt
3. [On IPA Master] create One Time Password (OTP) for this future ipa client
host:
ipa host-add <fqdn of ipa client> --password <OTP>
==example==
[root@apple (RH6.4-i386) ~] ipa host-del green
[root@apple (RH6.4-i386) ~] ipa host-add green.yzhang.redhat.com --password
otp123 --force
--------------------
Deleted host "green"
--------------------
------------------------------------
Added host "green.yzhang.redhat.com"
------------------------------------
  Host name: green.yzhang.redhat.com
  Password: True
  Keytab: False
  Managed by: green.yzhang.redhat.com

4. [On IPA Client] install ipa client with otp
==example ==
[root@green (RH5.10-x86_64) ~] ipa-client-install
--server=apple.yzhang.redhat.com --domain=yzhang.redhat.com
--realm=YZHANG.REDHAT.COM -w otp123 --hostname=green.yzhang.redhat.com

5. The error message output by 'ipa-client-install' in this situation is bad:

When ipa-client-2.1.3-6.el5 (testing build in rhel5.10) used, output contains:
Unable to read new ca cert '/etc/ipa/ca.crt.new': [('PEM routines',
'PEM_read_bio', 'no start line')]

When ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4) used, output is:
non-generic 'FileError' needs format=None; got format="Unable to read new ca
cert '/etc/ipa/ca.crt.new': Incorrect padding"

Based on Rob's comment, the above message are bad (I am not very clear about
the definition 'bad' here) I will attach full email conversation below



Additional info: Original email conversation between Yi & Rob:

yi zhang wrote:
> Hi:
> In my test, the ipa client install use OTP always failed. And it failed
> for a reason that looks strange to me. Please help me to identify
> whether this is a bug.
> IPA master: ipa-server-selinux-3.0.0-25.el6.i686 (release build in rhel6.4)
>
> IPA Client 1: ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4)
> IPA Client 2: ipa-client-2.1.3-6.el5 (testing build in rhel5.10)
>
>
> ##### Test one: use (ipa-client-3.0.0-25.el6.i686 ) #######
> step 1: create otp on ipa master server
> ipa host-del durian
> ipa host-add durian.yzhang.redhat.com --password otp123 --force
> [root@apple (RH6.4-i386) ~] ipa host-add durian.yzhang.redhat.com
> --password otp123 --force
> -------------------------------------
> Added host "durian.yzhang.redhat.com"
> -------------------------------------
>    Host name: durian.yzhang.redhat.com
>    Password: True
>    Keytab: False
>    Managed by: durian.yzhang.redhat.com
>
> step 2: remove /etc/ipa/ca.crt to force ipa client download this file
> from master)
> [root@durian (RH6.4-i386) ~] rm /etc/ipa/ca.crt
>
> step 3:  use otp on ipa client host to install client bits
> [root@durian (RH6.4-i386) ~] ipa-client-install
> --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com
> --realm=YZHANG.REDHAT.COM -w otp123 --hostname=durian.yzhang.redhat.com
> Autodiscovery of servers for failover cannot work with this configuration.
> If you proceed with the installation, services will be configured to
> always access the discovered server for all operations and will not fail
> over to other servers in case of failure.
> Proceed with fixed values and no DNS discovery? [no]: yes
> Hostname: durian.yzhang.redhat.com
> Realm: YZHANG.REDHAT.COM
> DNS Domain: yzhang.redhat.com
> IPA Server: apple.yzhang.redhat.com
> BaseDN: dc=yzhang,dc=redhat,dc=com
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Do you want download the CA cert from
> http://apple.yzhang.redhat.com/ipa/config/ca.crt ?
> (this is INSECURE) [no]: yes
> Cannot obtain CA certificate
> non-generic 'FileError' needs format=None; got format="Unable to read
> new ca cert '/etc/ipa/ca.crt.new': Incorrect padding"

This error message is bad, can you open a BZ or trac ticket on it (on the bad
error message, not on what generated it).

In any case, this is unrelated to OTP. You seem to have a bad CA cert on your
IPA web server. You may want to open a BZ/trac with that file attached
(/usr/share/ipa/html/ca.crt)

I gather you are enrolling against an older server that doesn't have the CA
certificate stored in LDAP?

> Installation failed. Rolling back changes.
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Client uninstall complete.

> ###### Test two: use (ipa-client-2.1.3-6.el5) #######
> Similar to above test:
> step 1: create otp for ipa client on ipa master host
> [root@green (RH5.10-x86_64) ~] ipa-client-install
> --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com
> --realm=YZHANG.REDHAT.COM -w otp123 --hostname=green.yzhang.redhat.com
> Autodiscovery of servers for failover cannot work with this configuration.
>
> If you proceed with the installation, services will be configured to always
> access the discovered server for all operation and will not fail over to
> other servers in case of failure.
>
> Proceed with fixed values and no DNS discovery? [no]: yes
> Hostname: green.yzhang.redhat.com
> Realm: YZHANG.REDHAT.COM
> DNS Domain: yzhang.redhat.com
> IPA Server: apple.yzhang.redhat.com
> BaseDN: dc=yzhang,dc=redhat,dc=com
>
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Do you want download the CA cert from
> http://apple.yzhang.redhat.com/ipa/config/ca.crt ?
> (this is INSECURE) [no]: yes
> root        : ERROR    Cannot obtain CA certificate
> Unable to read new ca cert '/etc/ipa/ca.crt.new': [('PEM routines',
> 'PEM_read_bio', 'no start line')]
> Installation failed. Rolling back changes.

RHEL 5 uses OpenSSL routines to handle the certificate. I imagine it's the same
error, just different error message. Might be worthwhile to note in any bugs
you file though.

rob

3.4 development was shifted for one month, moving tickets to reflect reality better.

Metadata Update from @mkosek:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 4.0 - 2013/10

7 years ago

Login to comment on this ticket.

Metadata