The 2nd step of ipa-server-install with external CA fails while issuing a self-signed certificate for pkinit.
To reproduce:
run ipa-server-install --external-ca ... This step produces a /root/ipa.csr certificate request, than needs to be provided to a certificate authority in order to get a cert for IPA server.
run ipa-server-install --external-cert-file=ipa.cert --external-cert-file=ca.cert
The commands fails with:
Done configuring the web interface (httpd). ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The log shows that the error happens in issue_selfsigned_pkinit_certs:
File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 494, in enable_ssl self.issue_selfsigned_pkinit_certs() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 442, in issue_selfsigned_pkinit_certs self._call_certmonger(certmonger_ca="SelfSign") File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 391, in _call_certmonger subject = str(DN(('cn', self.fqdn), self.subject_base)) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in __init__ self.rdns = self._rdns_from_sequence(args) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in _rdns_from_sequence rdn = self._rdns_from_value(item) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in _rdns_from_value % type(value)) 2017-05-02T10:21:32Z DEBUG The ipa-server-install command failed, exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead
The issue is that the krb instance was initialized with self.fqdn = None (install.py calls krb = krbinstance.KrbInstance(fstore) where self.fqdn=None, then it calls krb.enable_ssl() which ends in self._call_certmonger() with self.fqdn still equal to None).
This was caused by pushing my external-CA fixes along the finishing patches of PKINIT handling. I'll see what I can do about this.
Metadata Update from @stlaz: - Issue assigned to stlaz
Metadata Update from @frenaud: - Issue assigned to frenaud (was: stlaz)
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/754
Metadata Update from @stlaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1444896
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: regression
ipa-4-5:
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.