#6806 CA-less installation fails on publishing CA certificate
Closed: fixed 7 years ago Opened 7 years ago by mbabinsk.

CA-less installation of freeipa-server-4.5.0-0.fc25.x86_64 fails during publishing of CA cert in HTTP installer:

Configuring the web interface (httpd)
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: setting up httpd keytab
  [9/21]: retrieving anonymous keytab
  [10/21]: configuring Gssproxy
  [11/21]: setting up ssl
  [12/21]: importing CA certificates from LDAP
  [13/21]: publish CA cert
  [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

This is caused by using incorrect CA cert nickname (the default one generated during CA-full install) instead of retrieving the correct nickname from the supplied PKCS#12 files (as can be seen from the content of HTTP alias directory):

# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                                   u,u,u

Metadata Update from @mbabinsk:
- Issue priority set to: 2

7 years ago

Metadata Update from @mbasti:
- Issue priority set to: 1 (was: 2)
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression

7 years ago

Metadata Update from @mbabinsk:
- Issue untagged with: regression

7 years ago

Metadata Update from @mbabinsk:
- Issue tagged with: regression

7 years ago

Metadata Update from @stlaz:
- Issue assigned to stlaz

7 years ago

master:

  • 8c87014 Get correct CA cert nickname in CA-less
  • aae9a91 Remove publish_ca_cert() method from NSSDatabase

ipa-4-5:

  • ebf24e7 Get correct CA cert nickname in CA-less
  • 9938974 Remove publish_ca_cert() method from NSSDatabase

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438490

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438490

7 years ago

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata