Unattended ipa-client-install with get_ca_certs_from_ldap() error yields errors pointing to certificate issues and only one instance of the actual issue (cannot access LDAP to get the CA cert). This sometimes happens when the account is expired, instead of the expiration error from #7944. It always happens with an unreachable LDAP server or user with no read privileges.
ScriptError
Fails with messages pointing to a certificate issue (technically correct)
Fail with a message pointing to the inability to fetch the certificate from LDAP
ipa-client-4.6.4-10.el7.centos.3.x86_64
2019-05-13T17:11:22Z DEBUG Initializing principal host_enrollment_user@server.ipa.com using password 2019-05-13T17:11:22Z DEBUG Starting external process 2019-05-13T17:11:22Z DEBUG args=/usr/bin/kinit host_enrollment_user@server.ipa.com -c /tmp/krbccghh5N0/ccache 2019-05-13T17:11:22Z DEBUG Process finished, return code=0 2019-05-13T17:11:22Z DEBUG stdout=Password for host_enrollment_user@server.ipa.com: 2019-05-13T17:11:22Z DEBUG stderr= 2019-05-13T17:11:22Z DEBUG trying to retrieve CA cert via LDAP from ip-10-201-8-247.server.ipa.com 2019-05-13T17:11:22Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: 2019-05-13T17:11:22Z DEBUG Insufficient access: 2019-05-13T17:11:22Z ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP 2019-05-13T17:11:22Z ERROR Cannot obtain CA certificate HTTP certificate download requires --force 2019-05-13T17:11:22Z ERROR Installation failed. Rolling back changes. 2019-05-13T17:11:22Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2019-05-13T17:11:22Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2019-05-13T17:11:22Z DEBUG Starting external process 2019-05-13T17:11:22Z DEBUG args=ipa-client-automount --uninstall --debug 2019-05-13T17:11:23Z DEBUG Process finished, return code=1 2019-05-13T17:11:23Z DEBUG stdout= 2019-05-13T17:11:23Z DEBUG stderr=IPA client is not configured on this system 2019-05-13T17:11:23Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 2019-05-13T17:11:23Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2019-05-13T17:11:23Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2019-05-13T17:11:23Z DEBUG Starting external process 2019-05-13T17:11:23Z DEBUG args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt 2019-05-13T17:11:23Z DEBUG Process finished, return code=255 2019-05-13T17:11:23Z DEBUG stdout= 2019-05-13T17:11:23Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. 2019-05-13T17:11:23Z DEBUG Starting external process 2019-05-13T17:11:23Z DEBUG args=/usr/bin/certutil -d sql:/etc/pki/nssdb -L -n IPA Machine Certificate - i-09ff3c53a5b1dbeca-ip-10-203-24-210.ipa-clients.ipa.co -a -f /etc/pki/nssdb/pwdfile.txt 2019-05-13T17:11:23Z DEBUG Process finished, return code=255 2019-05-13T17:11:23Z DEBUG stdout= 2019-05-13T17:11:23Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - i-09ff3c53a5b1dbeca-ip-10-203-24-210.ipa-clients.ipa.co : PR_FILE_NOT_FOUND_ERROR: File not found
2019-05-13T17:11:25Z INFO Client uninstall complete. 2019-05-13T17:11:25Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3632, in main install(self) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2353, in install _install(options) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2560, in _install raise ScriptError(rval=CLIENT_INSTALL_ERROR) 2019-05-13T17:11:25Z DEBUG The ipa-client-install command failed, exception: ScriptError: 2019-05-13T17:11:25Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The correct message is buried in there:
get_ca_certs_from_ldap() error: Insufficient access:
The issue you see is during the rollback there is no certificate to clean up so an error is reported. What would you suggest, adding an additional entry that "this can be ignored"?
Metadata Update from @pcech: - Custom field affects_doc adjusted to on - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.