Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1321652
Description of problem: A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US" The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> [IPA installer log] 2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 [Apache error log] [Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US' However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py -> 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2. Edit installutils.py and look for the following code at line 390 -> 389 if quotes: 390 newfile.append('%s%s"%s"\n' % (directive,separator, value)) [Change line 390 to]: newfile.append('%s%s\'%s\'\n' % (directive,separator, value)) This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> # diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py --- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig 2016-03-23 16:44:52.627394610 -0700 +++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2016-03-24 13:20:34.058402844 -0700 @@ -387,7 +387,7 @@ valueset = True if value is not None: if quotes: - newfile.append('%s%s"%s"\n' % (directive, separator, value)) + newfile.append('%s%s\'%s\'\n' % (directive, separator, value)) else: newfile.append('%s%s%s\n' % (directive, separator, value)) else: With the change, 'NSSNickname' in nss.conf now looks like this post-install -> # grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'
triage comments:
4.4.0 was released, moving open tickets to 4.4.1
master:
ipa-4-4:
Metadata Update from @pvoborni: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.4.2
Log in to comment on this ticket.