#7945 Unattended ipa-client-install with bad user yields certificate red herring
Closed: wontfix 3 months ago by pcech. Opened 5 months ago by johnkeates.

Issue

Unattended ipa-client-install with get_ca_certs_from_ldap() error yields errors pointing to certificate issues and only one instance of the actual issue (cannot access LDAP to get the CA cert). This sometimes happens when the account is expired, instead of the expiration error from #7944. It always happens with an unreachable LDAP server or user with no read privileges.

Steps to Reproduce

  1. Expire the password on the unattended install IPA user
  2. Issue an unattended install
  3. Install fails with non-descript ScriptError

Actual behavior

Fails with messages pointing to a certificate issue (technically correct)

Expected behavior

Fail with a message pointing to the inability to fetch the certificate from LDAP

Version/Release/Distribution

ipa-client-4.6.4-10.el7.centos.3.x86_64

Additional info:

2019-05-13T17:11:22Z DEBUG Initializing principal host_enrollment_user@server.ipa.com using password
2019-05-13T17:11:22Z DEBUG Starting external process
2019-05-13T17:11:22Z DEBUG args=/usr/bin/kinit host_enrollment_user@server.ipa.com -c /tmp/krbccghh5N0/ccache
2019-05-13T17:11:22Z DEBUG Process finished, return code=0
2019-05-13T17:11:22Z DEBUG stdout=Password for host_enrollment_user@server.ipa.com: 

2019-05-13T17:11:22Z DEBUG stderr=
2019-05-13T17:11:22Z DEBUG trying to retrieve CA cert via LDAP from ip-10-201-8-247.server.ipa.com
2019-05-13T17:11:22Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: 
2019-05-13T17:11:22Z DEBUG Insufficient access: 
2019-05-13T17:11:22Z ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
2019-05-13T17:11:22Z ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
2019-05-13T17:11:22Z ERROR Installation failed. Rolling back changes.
2019-05-13T17:11:22Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-13T17:11:22Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-05-13T17:11:22Z DEBUG Starting external process
2019-05-13T17:11:22Z DEBUG args=ipa-client-automount --uninstall --debug
2019-05-13T17:11:23Z DEBUG Process finished, return code=1
2019-05-13T17:11:23Z DEBUG stdout=
2019-05-13T17:11:23Z DEBUG stderr=IPA client is not configured on this system

2019-05-13T17:11:23Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
2019-05-13T17:11:23Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-13T17:11:23Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-05-13T17:11:23Z DEBUG Starting external process
2019-05-13T17:11:23Z DEBUG args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt
2019-05-13T17:11:23Z DEBUG Process finished, return code=255
2019-05-13T17:11:23Z DEBUG stdout=
2019-05-13T17:11:23Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

2019-05-13T17:11:23Z DEBUG Starting external process
2019-05-13T17:11:23Z DEBUG args=/usr/bin/certutil -d sql:/etc/pki/nssdb -L -n IPA Machine Certificate - i-09ff3c53a5b1dbeca-ip-10-203-24-210.ipa-clients.ipa.co -a -f /etc/pki/nssdb/pwdfile.txt
2019-05-13T17:11:23Z DEBUG Process finished, return code=255
2019-05-13T17:11:23Z DEBUG stdout=
2019-05-13T17:11:23Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - i-09ff3c53a5b1dbeca-ip-10-203-24-210.ipa-clients.ipa.co
: PR_FILE_NOT_FOUND_ERROR: File not found
2019-05-13T17:11:25Z INFO Client uninstall complete.
2019-05-13T17:11:25Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run
    return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install
    _install(options)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2560, in _install
    raise ScriptError(rval=CLIENT_INSTALL_ERROR)

2019-05-13T17:11:25Z DEBUG The ipa-client-install command failed, exception: ScriptError: 
2019-05-13T17:11:25Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The correct message is buried in there:

get_ca_certs_from_ldap() error: Insufficient access:

The issue you see is during the rollback there is no certificate to clean up so an error is reported. What would you suggest, adding an additional entry that "this can be ignored"?

Metadata Update from @pcech:
- Custom field affects_doc adjusted to on
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.

Metadata