Trying to install on Ubuntu 18.04 LTS Bionic Beaver. Applied the fix to Bug #1765616 -- installed tomcat8 (8.5.30-1ubuntu1.2) from ppa:freeipa/ppa to proceed further with the installation.
Still unable to complete the installation, as Apache dies on startup during install.
$ ipa-server-install --setup-dns
^ Install fails on starting Apache
$ cat /var/log/apache2/error.log
Exerpt: ... AH02580: Init: Pass phrase incorrect for key ...
Full text: [Thu May 03 18:25:24.301795 2018] [mpm_event:notice] [pid 1591:tid 140073085791168] AH00491: caught SIGTERM, shutting down [Thu May 03 18:25:30.948992 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02580: Init: Pass phrase incorrect for key hostfqdn:443:0 [Thu May 03 18:25:30.949087 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu May 03 18:25:30.949105 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error [Thu May 03 18:25:30.949119 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu May 03 18:25:30.949134 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA) [Thu May 03 18:25:30.949148 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib [Thu May 03 18:25:30.949182 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu May 03 18:25:30.949196 2018] [ssl:emerg] [pid 11262:tid 140405782162368] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO) [Thu May 03 18:25:30.949207 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information [Thu May 03 18:25:30.949215 2018] [ssl:emerg] [pid 11262:tid 140405782162368] AH02564: Failed to configure encrypted (?) private key hostfqdn:443:0, check /var/lib/ipa/private/httpd.key AH00016: Configuration Failed
After the installation fails, tried the following:
$ service apache2 start ^ Apache fails to start again with the same error
$ cat /var/lib/ipa/passwds/hostnamefqdn-443-RSA ^ Here, copy the displayed password string.
Paste the displayed password string from the above file when prompted: $ openssl -in /var/lib/ipa/private/httpd.key -out /tmp/httpd.key.nopass
Backup and replace the httpd key file with one without password: $ mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.pass $ mv /tmp/http.key.nopass /var/lib/ipa/private/httpd.key
Try starting Apache again: $ service apache2 start
^^^ This succeeds, meaning that Apache starts up fine when the key is not encrypted
The install process fails and terminates
The install process completes successfully
$ apt-cache madison freeipa-server freeipa-client 389-ds-base pki-ca apache2 freeipa-server | 4.7.0~pre1+git20180411-2ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages freeipa-client | 4.7.0~pre1+git20180411-2ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 389-ds-base | 1.3.7.10-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages pki-ca | 10.6.0-1ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages pki-ca | 10.6.0-1ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages apache2 | 2.4.29-1ubuntu4.1 | http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages apache2 | 2.4.29-1ubuntu4.1 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages apache2 | 2.4.29-1ubuntu4 | http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Do you have SSLPassPhraseDialog exec:/usr/libexec/ipa/ipa-httpd-pwdreader in ssl.conf?
Is it executable? What happens if you run it manually like:
bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA
Thanks for getting back to us on this issue.
The bug was reproducible all day on multiple install attempts on the day of the bug submission. Sadly, I performed an ipa-server-install --uninstall after submitting the bug.
I was just able to reinstall freeipa again three times without an incident with no other changes to the environment. To me, this suggests that the issue is perhaps related to the contents of the randomly generated file /var/lib/ipa/passwds/hostnamefqdn-443-RSA and the way they are handled/passed on to Apache.
Apologies for not having preserved the specifics, this might be a hard bug to trace.
Same issue reported here at Ubuntu Launchpad
Metadata Update from @slaykovsky: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @slaykovsky: - Issue set to the milestone: FreeIPA 4.7 backlog (was: FreeIPA 4.7)
The bug here is that ipa-httpd-pwdreader assumes $HOSTNAME is FQDN
Hello, I am hitting the same problem on Fedora 28 (and Rawhide).
error_log: [Thu Jun 14 16:07:20.327806 2018] [core:notice] [pid 8725:tid 139880532003072] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu Jun 14 16:07:20.328588 2018] [suexec:notice] [pid 8725:tid 139880532003072] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jun 14 16:07:20.331535 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02580: Init: Pass phrase incorrect for key ipa.example.com:443:0 [Thu Jun 14 16:07:20.331559 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu Jun 14 16:07:20.331568 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error [Thu Jun 14 16:07:20.331573 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu Jun 14 16:07:20.331580 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA) [Thu Jun 14 16:07:20.331586 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib [Thu Jun 14 16:07:20.331592 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag [Thu Jun 14 16:07:20.331597 2018] [ssl:emerg] [pid 8725:tid 139880532003072] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO) [Thu Jun 14 16:07:20.331603 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/error_log for more information [Thu Jun 14 16:07:20.331606 2018] [ssl:emerg] [pid 8725:tid 139880532003072] AH02564: Failed to configure encrypted (?) private key ipa.example.com:443:0, check /var/lib/ipa/private/httpd.key AH00016: Configuration Failed
ipaserver_install.log: 2018-06-14T14:07:20Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n') 2018-06-14T14:07:20Z ERROR CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n') 2018-06-14T14:07:20Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The issue was also seen on Fedora 28: [BZ 1591703] (https://bugzilla.redhat.com/show_bug.cgi?id=1591703) and happened because of the host name which was not FQDN. Is /etc/hosts containing an entry for the host? Is /etc/hosname containing the fully qualified domain name? Is hostname returning the FQDN?
hostname
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1591703
Issue linked to Bugzilla: Bug 1591703
Metadata Update from @rcritten: - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7 backlog)
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/2303
master:
ipa-4-7:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.