freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#6310 pki instance creation fails during ipa replica install

Created 2 years ago by pvoborni
Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371519

Description of problem:

During ipa replica install on 7.3 from replica file created on 6.8 IPA Master,
pki instance creation fails with following error message.

2016-08-30 17:18:30 pkispawn    : INFO     ....... modifying
'/etc/pki/pki-tomcat/alias/secmod.db'
2016-08-30 17:18:30 pkispawn    : DEBUG    ........... chmod 600
/etc/pki/pki-tomcat/alias/secmod.db
2016-08-30 17:18:30 pkispawn    : DEBUG    ........... chown 17:17
/etc/pki/pki-tomcat/alias/secmod.db
2016-08-30 17:18:36 pkispawn    : DEBUG    ....... Error Type:
CalledProcessError
2016-08-30 17:18:36 pkispawn    : DEBUG    ....... Error Message: Command
'['certutil', '-M', '-d', '/etc/pki/pki-tomcat/alias', '-f',
'/etc/pki/pki-tomcat/pfile', '-n', 'caSigningCert cert-pki-ca', '-t',
'CTu,Cu,Cu']' returned non-zero exit status 255
2016-08-30 17:18:36 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn",
line 528, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/secur
ity_databases.py", line 159, in spawn
    trust_attributes='CTu,Cu,Cu')
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 165, in
modify_cert
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)


Version-Release number of selected component (if applicable):


How reproducible:
[root@dhcp207-47 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-7.el7.noarch
[root@dhcp207-47 ~]#

Steps to Reproduce:
1. Prepare a RHEL 6.8 IPA Master and generate replica install file on it.
2. Copy replica install file on RHEL 7.3 replica and install replica
3.

Actual results:
Replica install fails on RHEL 7.3

Expected results:
Replica install should be successful on RHEL 7.3

Additional info:
(1) Please find the attached console output file for more info

Adopted a different strategy to fix this issue. The code should be fixed on the master side (i.e. fix ipa-replica-prepare so that it creates a gpg file containing the right certificates + nicknames).

See BZ 1369470 https://bugzilla.redhat.com/show_bug.cgi?id=1369470

2 years ago

Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4.2

Login to comment on this ticket.

defect

Installation

https://github.com/freeipa/freeipa/pull/69

https://bugzilla.redhat.com/show_bug.cgi?id=1371519

cancel