Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 978564
Description of problem: When run ipa-client-install, it outputs bad error message when IPA Master has bad /usr/share/ipa/html/ca.crt file. Version-Release number of selected component (if applicable): IPA master: ipa-server-selinux-3.0.0-25.el6.i686 (release build in rhel6.4) IPA client build: (1) ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4) (2) ipa-client-2.1.3-6.el5 (testing build in rhel5.10) How reproducible: always Steps to Reproduce: 1. [On IPA Master] install ipa master, use official released build on rhel6.4: ipa-server-selinux-3.0.0-25 2. [On IPA Master] create a bad /usr/share/ipa/html/ca.crt file echo "i am bad" > /usr/share/ipa/html/ca.crt 3. [On IPA Master] create One Time Password (OTP) for this future ipa client host: ipa host-add <fqdn of ipa client> --password <OTP> ==example== [root@apple (RH6.4-i386) ~] ipa host-del green [root@apple (RH6.4-i386) ~] ipa host-add green.yzhang.redhat.com --password otp123 --force -------------------- Deleted host "green" -------------------- ------------------------------------ Added host "green.yzhang.redhat.com" ------------------------------------ Host name: green.yzhang.redhat.com Password: True Keytab: False Managed by: green.yzhang.redhat.com 4. [On IPA Client] install ipa client with otp ==example == [root@green (RH5.10-x86_64) ~] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com --realm=YZHANG.REDHAT.COM -w otp123 --hostname=green.yzhang.redhat.com 5. The error message output by 'ipa-client-install' in this situation is bad: When ipa-client-2.1.3-6.el5 (testing build in rhel5.10) used, output contains: Unable to read new ca cert '/etc/ipa/ca.crt.new': [('PEM routines', 'PEM_read_bio', 'no start line')] When ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4) used, output is: non-generic 'FileError' needs format=None; got format="Unable to read new ca cert '/etc/ipa/ca.crt.new': Incorrect padding" Based on Rob's comment, the above message are bad (I am not very clear about the definition 'bad' here) I will attach full email conversation below Additional info: Original email conversation between Yi & Rob: yi zhang wrote: > Hi: > In my test, the ipa client install use OTP always failed. And it failed > for a reason that looks strange to me. Please help me to identify > whether this is a bug. > IPA master: ipa-server-selinux-3.0.0-25.el6.i686 (release build in rhel6.4) > > IPA Client 1: ipa-client-3.0.0-25.el6.i686 (release build in rhel6.4) > IPA Client 2: ipa-client-2.1.3-6.el5 (testing build in rhel5.10) > > > ##### Test one: use (ipa-client-3.0.0-25.el6.i686 ) ####### > step 1: create otp on ipa master server > ipa host-del durian > ipa host-add durian.yzhang.redhat.com --password otp123 --force > [root@apple (RH6.4-i386) ~] ipa host-add durian.yzhang.redhat.com > --password otp123 --force > ------------------------------------- > Added host "durian.yzhang.redhat.com" > ------------------------------------- > Host name: durian.yzhang.redhat.com > Password: True > Keytab: False > Managed by: durian.yzhang.redhat.com > > step 2: remove /etc/ipa/ca.crt to force ipa client download this file > from master) > [root@durian (RH6.4-i386) ~] rm /etc/ipa/ca.crt > > step 3: use otp on ipa client host to install client bits > [root@durian (RH6.4-i386) ~] ipa-client-install > --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com > --realm=YZHANG.REDHAT.COM -w otp123 --hostname=durian.yzhang.redhat.com > Autodiscovery of servers for failover cannot work with this configuration. > If you proceed with the installation, services will be configured to > always access the discovered server for all operations and will not fail > over to other servers in case of failure. > Proceed with fixed values and no DNS discovery? [no]: yes > Hostname: durian.yzhang.redhat.com > Realm: YZHANG.REDHAT.COM > DNS Domain: yzhang.redhat.com > IPA Server: apple.yzhang.redhat.com > BaseDN: dc=yzhang,dc=redhat,dc=com > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Do you want download the CA cert from > http://apple.yzhang.redhat.com/ipa/config/ca.crt ? > (this is INSECURE) [no]: yes > Cannot obtain CA certificate > non-generic 'FileError' needs format=None; got format="Unable to read > new ca cert '/etc/ipa/ca.crt.new': Incorrect padding" This error message is bad, can you open a BZ or trac ticket on it (on the bad error message, not on what generated it). In any case, this is unrelated to OTP. You seem to have a bad CA cert on your IPA web server. You may want to open a BZ/trac with that file attached (/usr/share/ipa/html/ca.crt) I gather you are enrolling against an older server that doesn't have the CA certificate stored in LDAP? > Installation failed. Rolling back changes. > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > Restoring client configuration files > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > ###### Test two: use (ipa-client-2.1.3-6.el5) ####### > Similar to above test: > step 1: create otp for ipa client on ipa master host > [root@green (RH5.10-x86_64) ~] ipa-client-install > --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com > --realm=YZHANG.REDHAT.COM -w otp123 --hostname=green.yzhang.redhat.com > Autodiscovery of servers for failover cannot work with this configuration. > > If you proceed with the installation, services will be configured to always > access the discovered server for all operation and will not fail over to > other servers in case of failure. > > Proceed with fixed values and no DNS discovery? [no]: yes > Hostname: green.yzhang.redhat.com > Realm: YZHANG.REDHAT.COM > DNS Domain: yzhang.redhat.com > IPA Server: apple.yzhang.redhat.com > BaseDN: dc=yzhang,dc=redhat,dc=com > > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Do you want download the CA cert from > http://apple.yzhang.redhat.com/ipa/config/ca.crt ? > (this is INSECURE) [no]: yes > root : ERROR Cannot obtain CA certificate > Unable to read new ca cert '/etc/ipa/ca.crt.new': [('PEM routines', > 'PEM_read_bio', 'no start line')] > Installation failed. Rolling back changes. RHEL 5 uses OpenSSL routines to handle the certificate. I imagine it's the same error, just different error message. Might be worthwhile to note in any bugs you file though. rob
3.4 development was shifted for one month, moving tickets to reflect reality better.
master: 66242e6
Metadata Update from @mkosek: - Issue assigned to akrivoka - Issue set to the milestone: FreeIPA 4.0 - 2013/10
Login to comment on this ticket.