Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1515314
Description of problem: Repeated prompting for a PIN during ipa-replica-install No keys are set on the private keys but no value is accepted and even if a pin is set the installer just rolls back. We successfully stood up the master node without any issues. We are attempting to setup our first replica and we noticed that during the ipa-replica-install process the installer is asking pin for the private key. The keys provided do not have any passwords/pins on the keys. The certificates provided for the master also does not have a pin for the private key and the installer did ask, however simply hitting enter allowed us to proceed to the next step. That doesn't seem to be the same with the ipa-replica-install. Eventually if you enter anything it rolls back the install. Just for testing we did add a password to the private key and retried but this did not seem to have an effect on the installer process. Even with a password on the key, when we entered it, it simply rolled back. Version-Release number of selected component (if applicable): How reproducible: ipa-server-4.5.0-21.el7 Steps to Reproduce: 1. Deploy a CA-less IdM configuration with a master node 2. Attempt to stand up replica (ipa-replica-install) with http and dirsrv certificates for the replica Actual results: [root@cbscclrv0885l certs]# ipa-replica-install --setup-dns --auto-forwarders --dirsrv-cert-file cbscclrv0885l.crt --dirsrv-cert-file cbscclrv0885l-2.key --http-cert-file cbscclrv0885l.crt --http-cert-file cbscclrv0885l-2.key --no-pkinit --principal admin --admin-password 'IdM@XXXX2017' Configuring client side components Discovery was successful! Client hostname: cbscclrv0885l.nix.tm.XXXX.com Realm: NIX.TM.XXXX.COM DNS Domain: nix.tm.XXXX.com IPA Server: cbscclrv0884l.nix.tm.XXXX.com BaseDN: dc=nix,dc=tm,dc=XXXX,dc=com Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US Valid From: 2006-11-08 00:00:00 Valid Until: 2036-07-16 23:59:59 Subject: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US Valid From: 2013-10-31 00:00:00 Valid Until: 2023-10-30 23:59:59 Enrolled in IPA realm NIX.TM.XXXX.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm NIX.TM.XXXX.COM trying https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json [try 1]: Forwarding 'ping' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring nix.tm.XXXX.com as NIS domain. Client configuration complete. The ipa-client-install command was successful Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Enter Apache Server private key unlock password: Removing client side components Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ---- LOG ---- 2017-11-19T02:46:12Z DEBUG stderr= 2017-11-19T02:46:12Z DEBUG Starting external process 2017-11-19T02:46:12Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall 2017-11-19T02:46:15Z DEBUG Process finished, return code=0 2017-11-19T02:46:15Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 375, in validate for _nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 636, in _configure next(validator) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 613, in main replica_promote_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1043, in promote_check host_name=config.host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1059, in load_pkcs12 (", ".join(cert_files))) 2017-11-19T02:46:15Z DEBUG The ipa-replica-install command failed, exception: ScriptError: The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key 2017-11-19T02:46:15Z ERROR The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key 2017-11-19T02:46:15Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Expected results: Installation proceeds with no pin as no pins are on the keys. Installation Additional info: Client Case: https://access.redhat.com/support/cases/#/case/01977104 Same bug for ipa-server-install. https://bugzilla.redhat.com/show_bug.cgi?id=1360769 https://pagure.io/freeipa/issue/6032
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1515314
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @pvoborni: - Issue priority set to: normal - Issue tagged with: bug
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1315
master:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Login to comment on this ticket.