#6640 DS certificate request during replica install fails due to bytes/string mismatch
Closed: Fixed None Opened 5 years ago by mbabinsk.

When installing DL1 replica, the certmonger request for DS certificate fails with CA_UNREACHABLE error crashing the whole installation:

[23/45]: configure new location for managed entries
[24/45]: configure dirsrv ccache
[25/45]: enabling SASL mapping fallback
[26/45]: restarting directory server
[27/45]: creating DS keytab
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Investigation of apache error logs on master reveals the root cause being an error during construction of Kerberos principal for the request which causes internal error:

[Sat Feb 04 00:24:18.298278 2017] [wsgi:error] [pid 22855] Traceback (most recent call last):
 47 [Sat Feb 04 00:24:18.298282 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
 48 [Sat Feb 04 00:24:18.298286 2017] [wsgi:error] [pid 22855]     result = command(*args, **options)
 49 [Sat Feb 04 00:24:18.298289 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
 50 [Sat Feb 04 00:24:18.298292 2017] [wsgi:error] [pid 22855]     return self.__do_call(*args, **options)
 51 [Sat Feb 04 00:24:18.298295 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
 52 [Sat Feb 04 00:24:18.298298 2017] [wsgi:error] [pid 22855]     ret = self.run(*args, **options)
 53 [Sat Feb 04 00:24:18.298301 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
 54 [Sat Feb 04 00:24:18.298304 2017] [wsgi:error] [pid 22855]     return self.execute(*args, **options)
 55 [Sat Feb 04 00:24:18.298307 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 775, in execute
 56 [Sat Feb 04 00:24:18.298310 2017] [wsgi:error] [pid 22855]     gn.name, principal_obj):
 57 [Sat Feb 04 00:24:18.298313 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 887, in _principal_name_matches_principal
 58 [Sat Feb 04 00:24:18.298316 2017] [wsgi:error] [pid 22855]     principal = kerberos.Principal(name)
 59 [Sat Feb 04 00:24:18.298319 2017] [wsgi:error] [pid 22855]   File "/usr/lib/python2.7/site-packages/ipapython/kerberos.py", line 72, in __init__
 60 [Sat Feb 04 00:24:18.298323 2017] [wsgi:error] [pid 22855]     components)     
 61 [Sat Feb 04 00:24:18.298326 2017] [wsgi:error] [pid 22855] TypeError: Cannot create a principal object from bytes: 'ldap/replica.ipa.test@IPA.TEST'

This may be a regression caused by current Py3 porting effort so it would make sense to investigate ASAP.


Regression only in master branch

master:

  • 91ab650 py3: x509.py: return principal as unicode string

Metadata Update from @mbabinsk:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5

5 years ago

Login to comment on this ticket.

Metadata