#8141 Update nss dependency in the ipa-server rpm
Closed: fixed 2 years ago by frenaud. Opened 4 years ago by mmorrone.

Issue

The nss rpm dependency for ipa-server-4.6.5-11.el7.centos.3.x86_64.rpm is out of date. rpm -q ipa-server --requires returns nss >= 3.14.3-12.0 but yum deplist ip-server shows a new version of nss is required.

dependency: libnss3.so()(64bit)
 provider: nss.x86_64 3.44.0-4.el7

If ipa-server is installed without updating nss, the command ipa-server-install fails with a timeout waiting for the CA to start. This is also detailed at https://access.redhat.com/solutions/4350171

Steps to Reproduce

  1. On a system with nss < 3.44.0-4, install ipa-server.
  2. Run ipa-server-install.
    umask 0022 && ipa-server-install --unattended --domain=my.domain --realm=MY.DOMAIN --idstart=5000 --setup-dns --forwarder=8.8.8.8 --auto-reverse --hostname=ipa.my.domain --ip-address=10.255.173.160 --ds-password='d1r3ct0ry=P@ssw0r!' --admin-password='ipA=@dm1n=P@ssw0r!'

Actual behavior

Times out waiting of the the CA to start.

    [28/29]: adding 'ipa' CA entry
    [29/29]: configuring certmonger renewal for lightweight CAs
  Done configuring certificate server (pki-tomcatd).
  Configuring directory server (dirsrv)
    [1/3]: configuring TLS for DS instance
    [2/3]: adding CA certificate entry
    [3/3]: restarting directory server
  Done configuring directory server (dirsrv).
  ipapython.admintool: ERROR    CA did not start in 300.0s
  ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected behavior

Installation completes.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.5-11.el7.centos.3.x86_64
ipa-client-4.6.5-11.el7.centos.3.x86_64
389-ds-base-1.3.9.1-12.el7_7.x86_64
pki-ca-10.5.16-5.el7_7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
nss-3.36.0-7.1.el7_6.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting


Thanks for the ticket. We don't maintain the CentOS tickets. Please report the issue on the CentOS bug tracker https://bugs.centos.org/.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1754902

4 years ago

master:
- 5ef2d71 freeipa.spec.in: unify spec files across upstream RHEL, and Fedora

ipa-4-9:
- 4b56a4c freeipa.spec.in: unify spec files across upstream RHEL, and Fedora

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata