ipa-server-install does not clean /etc/httpd/alias so there may be remaining certificates which could collide with next server installation:
/etc/httpd/alias
# ipa-server-install --http_pkcs12 /home/mkosek/caless/ipa.mkosek-fedora20.test.p12 --dirsrv_pkcs12 /home/mkosek/caless/ipa.mkosek-fedora20.test.p12 --http_pin 12345678 --dirsrv_pin 12345678 --root-ca-file /home/mkosek/caless/caless-external-ca.crt --setup-dns ... [29/39]: creating default Sudo bind user [30/39]: creating default Auto Member layout [31/39]: adding range check plugin [32/39]: creating default HBAC rule allow_all [33/39]: initializing group membership [34/39]: adding master entry [35/39]: configuring Posix uid/gid generation [36/39]: adding replication acis [37/39]: enabling compatibility plugin [38/39]: tuning directory server [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Unexpected error - see /var/log/ipaserver-install.log for details: CertificateFormatError: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
/etc/httpd/alias:
# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA C,, ipa.mkosek-fedora20.test u,u,u
After I deleted these certificates, installation succeeded. They should be cleaned either during uninstallation or during installation before the failing step.
Part of installer refactoring.
Moving from backlog, this is something we should do (related freeipa-users report).
During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.
FreeIPA 4.2.1 was released, moving to 4.2.x.
attachment ipaclient-install.log
This issue affects client installation as well:
# ipa-client-install -U --domain <server_domain> --realm <server_realm> -p admin -w <password> --server <server_fqdn> Using existing certificate '/etc/ipa/ca.crt'. Skip vm-058-115.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA server Failed to verify that vm-058-115.abc.idm.lab.eng.brq.redhat.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system.
ipa-client-install does not use /etc/httpd/alias for anything and I don't see anything related to this ticket in the output above.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1318186 (Red Hat Enterprise Linux 7)
Could you please increase priority of this ticket? Or at least provide quickfix for stable branch, with cleaning of /etc/httpd/alias during ipa-client-uninstall?
Replying to [comment:9 ttorcz]:
See comment #7.
This issue in comment #6 is likely the fact that /etc/ipa/ca.crt from a different (probably previous) server remained on the client system. This should be removed already by the client uninstaller (some older clients at times failed to removed this file).
So more details are needed why this needs a higher priority or if indeed the issue is with ipa-client-install then a new ticket is needed.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1331443 (Red Hat Enterprise Linux 7)
Increasing priority in 4.3.x branch for further planning.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1344810
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5 backlog
This issue was hit by multiple of admins and is not obvious to investigate.
Metadata Update from @pvoborni: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5 (was: FreeIPA 4.5 backlog)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
ipa-4-5:
f788e3e httpinstance: clean up /etc/httpd/alias on uninstall master:
bbd18cf certs: do not implicitly create DS pin.txt
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @jcholast: - Issue status updated to: Open (was: Closed)
The fix is incomplete, it causes CA-less replica install to fail:
[11/21]: setting up ssl [error] RuntimeError: Could not find a CA cert in /tmp/tmp_l8CCT Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Could not find a CA cert in /tmp/tmp_l8CCT ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Reopening the issue.
master:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.