freeipa

Clone
Source Code
GIT

#6921 ipa-server-install with external CA fails in issue_selfsigned_pkinit_certs
Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Closed: fixed
Reopen Issue

The 2nd step of ipa-server-install with external CA fails while issuing a self-signed certificate for pkinit.

To reproduce:

  • run ipa-server-install --external-ca ...
    This step produces a /root/ipa.csr certificate request, than needs to be provided to a certificate authority in order to get a cert for IPA server.

  • run ipa-server-install --external-cert-file=ipa.cert --external-cert-file=ca.cert

The commands fails with:

Done configuring the web interface (httpd).
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The log shows that the error happens in issue_selfsigned_pkinit_certs:

  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 494, in enable_ssl
self.issue_selfsigned_pkinit_certs()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 442, in issue_selfsigned_pkinit_certs
    self._call_certmonger(certmonger_ca="SelfSign")
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 391, in _call_certmonger
    subject = str(DN(('cn', self.fqdn), self.subject_base))
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in __init__
    self.rdns = self._rdns_from_sequence(args)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in _rdns_from_sequence
    rdn = self._rdns_from_value(item)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in _rdns_from_value
% type(value))

2017-05-02T10:21:32Z DEBUG The ipa-server-install command failed, exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got <type 'NoneType'> instead

The issue is that the krb instance was initialized with self.fqdn = None (install.py calls krb = krbinstance.KrbInstance(fstore) where self.fqdn=None, then it calls krb.enable_ssl() which ends in self._call_certmonger() with self.fqdn still equal to None).

This was caused by pushing my external-CA fixes along the finishing patches of PKINIT handling. I'll see what I can do about this.
Edited 6 years ago by stlaz

Metadata Update from @stlaz:
- Issue assigned to stlaz
6 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud (was: stlaz)
6 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/754
6 years ago

Metadata Update from @stlaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1444896
6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression
6 years ago

ipa-4-5:

  • 8107125 ipa-server-install with external CA: fix pkinit cert issuance

master:

  • a249230 ipa-server-install with external CA: fix pkinit cert issuance

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata

regression

None
None
critical
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/754
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1444896
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.