Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1455561
Description of problem: During ipa-server-install on Fedora 27, RA certificate can't be obtained from CA and the installation fails with CA_UNREACHABLE error. Version-Release number of selected component (if applicable): freeipa-4.5.1-1.fc27 How reproducible: deterministic Steps to Reproduce: 1. ipa-server-install Actual results: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: exporting Dogtag certificate store pin [3/29]: stopping certificate server instance to update CS.cfg [4/29]: backing up CS.cfg [5/29]: disabling nonces [6/29]: set up CRL publishing [7/29]: enable PKIX certificate path discovery and validation [8/29]: starting certificate server instance [9/29]: configure certmonger for renewals [10/29]: requesting RA certificate from CA [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) Expected results: IPA server installs without errors. Additional info: $ journalctl -u certmonger certmonger[26286]: 2017-05-25 14:21:16 [26286] Error 58 connecting to https://vm.example.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate.
Investigation by Flo: The CA helper dogtag-ipa-ca-renew-agent is using libcurl with a NSS db to provide the agent certificate, but in rawhide curl is built against OpenSSL instead of NSS. Because of this, the curl commands using a NSS db will fail:
$ curl -V curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 OpenSSL/1.1.0f zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.23.1 Release-Date: 2017-06-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL
In fedora 26, curl is built against NSS:
curl 7.53.1 (x86_64-redhat-linux-gnu) libcurl/7.53.1 NSS/3.29.3 zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.21.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink PSL
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1455561
Metadata Update from @pvoborni: - Issue priority set to: blocker
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.