#6892 ipa-[ca|kra]-install with invalid DM password break replica
Closed: fixed 3 years ago Opened 3 years ago by cheimes.

CA and KRA replicas can be installed on a replica at a later point in time. The commands ipa-ca-install and ipa-kra-install asked for the Directory Manager password, but fail to validate that the password is correct. There is no safe way to recover from a bad password other than complete uninstallation of the entire replica.

$ ipa-client-install
...
$ kinit admin
$ ipa-replica-install
...
$ ipa-ca-install
$ ipa-ca-install 
Directory Manager (existing master) password: WrongPassword
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpNKIUbr' returned non-ze1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.

The installers also ask for DM password when the subsystem is already installed:

# ipa-kra-install 
Directory Manager password: 

KRA already installed
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445390

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445390

3 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: bug

3 years ago

Metadata Update from @tkrizek:
- Issue assigned to tkrizek

3 years ago

Metadata Update from @tkrizek:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/757

3 years ago

master:

  • 80d61c2 ca install: merge duplicated code for DM password
  • 7a4a368 installutils: add DM password validator
  • 1b1bace ca, kra install: validate DM password

ipa-4-5:

  • 282fc0c ca install: merge duplicated code for DM password
  • 4c12b71 installutils: add DM password validator
  • b8bcaa6 ca, kra install: validate DM password

master:

  • 80d61c2 ca install: merge duplicated code for DM password
  • 7a4a368 installutils: add DM password validator
  • 1b1bace ca, kra install: validate DM password

ipa-4-5:

  • 282fc0c ca install: merge duplicated code for DM password
  • 4c12b71 installutils: add DM password validator
  • b8bcaa6 ca, kra install: validate DM password

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata