CA-less installation of freeipa-server-4.5.0-0.fc25.x86_64 fails during publishing of CA cert in HTTP installer:
Configuring the web interface (httpd) [1/21]: setting mod_nss port to 443 [2/21]: setting mod_nss cipher suite [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/21]: setting mod_nss password file [5/21]: enabling mod_nss renegotiate [6/21]: adding URL rewriting rules [7/21]: configuring httpd [8/21]: setting up httpd keytab [9/21]: retrieving anonymous keytab [10/21]: configuring Gssproxy [11/21]: setting up ssl [12/21]: importing CA certificates from LDAP [13/21]: publish CA cert [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
This is caused by using incorrect CA cert nickname (the default one generated during CA-full install) instead of retrieving the correct nickname from the supplied PKCS#12 files (as can be seen from the content of HTTP alias directory):
# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1 C,, ca1/server u,u,u
Metadata Update from @mbabinsk: - Issue priority set to: 2
Metadata Update from @mbasti: - Issue priority set to: 1 (was: 2) - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: regression
Metadata Update from @mbabinsk: - Issue untagged with: regression
Metadata Update from @mbabinsk: - Issue tagged with: regression
Metadata Update from @stlaz: - Issue assigned to stlaz
master:
ipa-4-5:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438490
Issue linked to bug 1438490
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.