#8145 DEBUG The ipa-client-install command failed, exception: ScriptError:
Closed: worksforme 4 years ago by tobiasv. Opened 4 years ago by tobiasv.

Issue

[description of the issue]
When running ipa-client-install, the installer fails whenever it checks the CA certificate.

I've installed two different instances of the ipa server, one with a dogtag CA, and one CA-less with a certificate I already had - it doesn't seem to make a difference to the ipa-client-install.

All IPs are statically configured, and the only DNS records available are A records for the FQDN of the IPA server and the FQDN of the clients.

Steps to Reproduce

  1. Run ipa-server-install as a ca-less install, or run it with dogtag CA, choose not to setup DNS and proceed with a normal installation - open all the relevant ports in the firewall, or disable the firewall completely.
  2. On a different host, place the relevant ca.crt file in /etc/ipa/ca.crt
  3. Provide the domain name of the IPA server (matching the DNS a record)
  4. Provide the hostname of the IPA server (matching the DNS a record)

Alternatively:

  1. Run ipa-server-install as a ca-less install, or run it with dogtag CA, choose not to setup DNS and proceed with a normal installation - open all the relevant ports in the firewall, or disable the firewall completely.
  2. Provide the domain name of the IPA server (matching the DNS a record)
  3. Provide the hostname of the IPA server (matching the DNS a record)
  4. Receive warning about failure of autodiscover and proceed with fixed values
  5. Press yes to continue to configure the system with these values
  6. Supply the username admin
  7. Supply the password used during the server install for the admin user
  8. Receive an error about being unable to download CA cert from LDAP and say yes to download it from http

Actual behavior

If following the first set of instructions, you will receive the following output:
Skip ipahost: cannot verify if this is an IPA server
Failed to verify that ipahost is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)

If following the second set of instructions, you will receive the following output:
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Problem with the SSL CA cert (path? access rights?)

Installation failed. Rolling back changes.

Expected behavior

I expect the installer to finish.

Version/Release/Distribution

Server:
CentOS 7.7.1908
ipa-server-4.6.5-11.el7.centos.x86_64
ipa-client-4.6.5-11.el7.centos.x86_64
389-ds-base-1.3.9.1-10.el7.x86_64
pki-ca-10.5.16-3.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
Kernel 5.2.20-1.el7.cp
Client:
CentOS 7.7.1908
ipa-client-4.6.5-11.el7.centos.x86_64
Kernel 5.2.20-1.el7.cp

Additional info:

While the output I receive is very different with the two different approaches the log files both have an unnamed ScriptError
With certificate in place:

2019-12-11T08:37:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 358, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in validate
for _nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 633, in _configure
next(validator)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3668, in main
install_check(self)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2270, in install_check
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2019-12-11T08:37:36Z DEBUG The ipa-client-install command failed, exception: ScriptError:

Without certificate in place:

2019-12-11T08:51:13Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(
exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3670, in main
install(self)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2391, in install
_install(options)
File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2613, in _install
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
2019-12-11T08:51:13Z DEBUG The ipa-client-install command failed, exception: ScriptError:


I initially tried this with a Fedora client (and a CentOS8 client) as well, I will provide version numbers for the Fedora test - but it resulted in the same error.

The ScriptError is raised because the attempt to get the chain failed, i isn't the root of the problem. Can you provide a full /var/log/ipa-client-install.log?

I resolved this by adding some additional DNS records.

Metadata Update from @tobiasv:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.

Metadata