Bug 1011396

Summary: ipa-client-install does not clean up /etc/ipa/ca.crt after a failed attempt
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: abokovoy, mkosek, pviktori, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: freeipa-3.3.4-3.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-28 18:33:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2013-09-24 08:04:44 UTC
If you run ipa-client-install and it fails for some reason after creating /etc/ipa/ca.crt , then it does not remove that file when it tries to clean up after itself before quitting. This results in all subsequent runs failing to auto-discover the server, with a rather cryptic error:

Error checking LDAP: Connect error: TLS error -8157:Certificate extension not found.

it was just impossible to debug this without the very much appreciated help of ab and mkosek in #freeipa. Suggestions: the 'clean up process' for failed ipa-client-install runs should wipe that file, and perhaps (I don't know enough to know if this makes sense) ipa-client-install should check if that file exists if its auto-discovery process fails, and warn the user that its presence might be the problem.

Comment 1 Martin Kosek 2013-09-24 12:00:32 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3944

Comment 2 Martin Kosek 2013-10-16 08:56:03 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/c49cf9572addb2e773108e4530e023385f8c2180

Comment 3 Martin Kosek 2014-01-27 14:25:39 UTC
Fixed upstream:
ipa-3-3: https://fedorahosted.org/freeipa/changeset/00a4ad2c34c6203ee058b71a4c25d22d2f333b09

Comment 4 Fedora Update System 2014-01-28 13:01:52 UTC
freeipa-3.3.4-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/freeipa-3.3.4-1.fc19

Comment 5 Fedora Update System 2014-01-29 03:05:58 UTC
Package freeipa-3.3.4-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.3.4-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1696/freeipa-3.3.4-2.fc19
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-02-06 03:59:06 UTC
Package freeipa-3.3.4-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.3.4-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1696/freeipa-3.3.4-3.fc19
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-02-28 18:33:20 UTC
freeipa-3.3.4-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.