#8634 Install of CA fails on CentOS 8 Stream with pki-core 10.9
Closed: fixed 5 months ago by frenaud. Opened 6 months ago by abbra.

pki-core 10.9 uses different location to store LDAP schema for ACME service. As a result, FreeIPA 4.9.0 fails provisioning the LDAP schema for ACME:

  [24/28]: importing IPA certificate profiles
  [25/28]: adding default CA ACL
  [26/28]: adding 'ipa' CA entry
  [27/28]: configuring certmonger renewal for lightweight CAs
  [28/28]: deploying ACME service
Failed to load /usr/share/pki/acme/database/ds/schema.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n')
  [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n')
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/pki/acme/database/ds/schema.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: '/usr/share/pki/acme/database/ds/schema.ldif: No such file or directory\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

# rpm -qf /usr/share/pki/acme/database/ldap/schema.ldif 
pki-server-10.9.4-1.module_el8.3.0+500+458aeb54.noarch
# rpm -q ipa-server
ipa-server-4.9.0-0.5.rc3.module_el8.4.0+591+30f359c9.x86_64

Metadata Update from @abbra:
- Issue assigned to abbra

6 months ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1913089

5 months ago

master:

  • 85d4f2d Revert "Remove test for minimum ACME support and rely on package deps"

ipa-4-9:

  • 3aeb9b8 Revert "Remove test for minimum ACME support and rely on package deps"

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.

5 months ago

Login to comment on this ticket.

Metadata