Error happens reliably in httpd ssl setup:
Done configuring ipa-custodia. Configuring the web interface (httpd) [1/22]: setting mod_nss port to 443 [2/22]: setting mod_nss cipher suite [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/22]: setting mod_nss password file [5/22]: enabling mod_nss renegotiate [6/22]: adding URL rewriting rules [7/22]: configuring httpd [8/22]: setting up httpd keytab [9/22]: retrieving anonymous keytab [10/22]: configuring Gssproxy [11/22]: setting up ssl [error] CalledProcessError: Command '/usr/bin/modutil -dbdir /etc/httpd/alias -force -list Root Certs' returned non-zero exit status 29 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command '/usr/bin/modutil -dbdir /etc/httpd/alias -force -list Root Certs' returned non-zero exit status 29 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
If I manually run the command it also fails, this is the output w/o specifying a Root Certs:
# /usr/bin/modutil -dbdir /etc/httpd/alias -force -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB -----------------------------------------------------------
Metadata Update from @simo: - Issue tagged with: regression
I suspected something may be on with backups and manipulation of /etc/httpd/alias so I removed the directory and dnf reinstalled mod_nss, then attempted install again and this time worked
I think the fix is to verify if the symlink to libnssckbi.so is there and if not create it ?
I tried to run backup, delete /etc/httpd/alias then restore then reinstall and haven't hit the issue. I also see the symlink properly packed into backup tarball. But maybe there's a sequence that breaks it. Then I would like to fix backup/restore. I don't like when FreeIPA installers are trying to fix errors in environent/system. FreeIPA should declare what it expects in environment and error out loudly when the expectation is not met. Here it expects that mod_nss will create symlink when the symlink is not there is not FreeIPA installer's job to create it.
Metadata Update from @dkupka: - Issue assigned to dkupka
Metadata Update from @dkupka: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/655
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436753
Issue linked to bug 1436753
ipa-4-5:
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue priority set to: 2 - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.