freeipa

Clone
Source Code
GIT

#6803 Master tree fails to install
Closed: fixed 7 years ago Opened 7 years ago by simo.

Closed: fixed
Reopen Issue

Error happens reliably in httpd ssl setup:

Done configuring ipa-custodia.
Configuring the web interface (httpd)
  [1/22]: setting mod_nss port to 443
  [2/22]: setting mod_nss cipher suite
  [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/22]: setting mod_nss password file
  [5/22]: enabling mod_nss renegotiate
  [6/22]: adding URL rewriting rules
  [7/22]: configuring httpd
  [8/22]: setting up httpd keytab
  [9/22]: retrieving anonymous keytab
  [10/22]: configuring Gssproxy
  [11/22]: setting up ssl
  [error] CalledProcessError: Command '/usr/bin/modutil -dbdir /etc/httpd/alias -force -list Root Certs' returned non-zero exit status 29
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/usr/bin/modutil -dbdir /etc/httpd/alias -force -list Root Certs' returned non-zero exit status 29
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

If I manually run the command it also fails, this is the output w/o specifying a Root Certs:

# /usr/bin/modutil -dbdir /etc/httpd/alias -force -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB
-----------------------------------------------------------

Metadata Update from @simo:
- Issue tagged with: regression
7 years ago

I suspected something may be on with backups and manipulation of /etc/httpd/alias so I removed the directory and dnf reinstalled mod_nss, then attempted install again and this time worked

I think the fix is to verify if the symlink to libnssckbi.so is there and if not create it ?

I tried to run backup, delete /etc/httpd/alias then restore then reinstall and haven't hit the issue. I also see the symlink properly packed into backup tarball. But maybe there's a sequence that breaks it. Then I would like to fix backup/restore.
I don't like when FreeIPA installers are trying to fix errors in environent/system. FreeIPA should declare what it expects in environment and error out loudly when the expectation is not met. Here it expects that mod_nss will create symlink when the symlink is not there is not FreeIPA installer's job to create it.

Metadata Update from @dkupka:
- Issue assigned to dkupka
7 years ago

Metadata Update from @dkupka:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/655
7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436753
7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436753
7 years ago

Issue linked to bug 1436753

ipa-4-5:

  • 2a49955 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available

master:

  • 0128e80 httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue priority set to: 2
- Issue set to the milestone: FreeIPA 4.5.1
- Issue status updated to: Closed (was: Open)
7 years ago

Login to comment on this ticket.

Metadata

regression

None
None
important
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/655
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1436753
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.