#5572 SEC_ERROR_NOT_INITIALIZED is raised during ca-less master installation
Closed: Fixed None Opened 4 years ago by ofayans.

When using the certificates generated with ipatests/test_integration/scripts/caless-create-pki
to setup an IPA master with the following command:

ipa-server-install --http-cert-file server.p12 --dirsrv-cert-file server.p12 --ca-cert-file root.pem --ip-address -r JUSTFOR.TEST -n justfor.test -p '<password>' -a '<password>' --setup-dns --forwarder --domain-level 1 --auto-reverse --http-pin '<password>' --dirsrv-pin '<password>' -U

I keep receiving the following error message:

Checking DNS domain justfor.test, please wait ...

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the FreeIPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host master.justfor.test
ipa.ipapython.install.cli.install_tool(Server): ERROR    (SEC_ERROR_NOT_INITIALIZED) NSS is not initialized.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

This used to work before

Additionally, you get the same error if you upgrade 4.2.3 CA-less server to current git version (ipa-4-{2,3} and master) and then try to run ipa-replica-prepare with supplied http and dirsrv certs.

regression caused by #5535, importing rpm module somehow breaks it


  • 7cd99e8 use FFI call to rpmvercmp function for version comparison


  • be9af72 use FFI call to rpmvercmp function for version comparison


  • 6b6a11f use FFI call to rpmvercmp function for version comparison

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.2.4

3 years ago

Login to comment on this ticket.