Bug 1131907
Summary: | [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jiri Belka <jbelka> | ||||||
Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.0 | CC: | dpal, jbelka, jcholast, ksiddiqu, pstehlik, rcritten, spoore, xdong | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | ipa-4.2.0-2.el7 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-11-19 12:00:54 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
It looks like it cannot find the certificate in IPA LDAP. Can you try to search and check what is the result of: $ ldapsearch -h `hostname` -D "uid=admin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" -x -W -b 'cn=CAcert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' ? [root@brq-ipa ~]# ldapsearch -h `hostname` -D "uid=admin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" -x -W -b 'cn=CAcert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' Enter LDAP Password: ldap_bind: Invalid credentials (49) [root@brq-ipa ~]# ldapsearch -h `hostname` -D "uid=admin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" -x -W -b 'cn=CAcert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=CAcert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # CACert, ipa, etc, brq-ipa.rhev.lab.eng.brq.redhat.com dn: cn=CACert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat, dc=com objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary: # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 I wonder how that could have happened that cACertificate attribute is filled, but empty. Is it a new FreeIPA installation or was it an upgrade from some older one? Is this reproducible? BTW to workaround your issue on the server, you would need to let it re-create the CACert entry using couple steps: # ldapdelete -h `hostname` -D "cn=Directory Manager" -x -W cn=CAcert,cn=ipa,cn=etc,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com # ipa-ldap-updater --upgrade After this step, ldapsearch from Comment 2 should return a proper value and installation should continue. Adding needinfo until we find some way how to reproduce it or diagnose how it could have happened. It seems the issue is related to following lines... 2014-09-01T08:35:41Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2014-09-01T08:35:41Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-BRQ-IPA-RHEV-LAB-ENG-BRQ-REDHAT-COM/ -L -n CN=BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM Certificate Authority -a 2014-09-01T08:35:41Z DEBUG stdout= 2014-09-01T08:35:41Z DEBUG stderr=certutil: Could not find cert: CN=BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM Certificate Authority : PR_FILE_NOT_FOUND_ERROR: File not found full log in attachment. Created attachment 933279 [details]
ipaupgrade.log
Honzo, could this be related IPA not being able to fetch certificates with longer name from certutil? I.e. https://fedorahosted.org/freeipa/ticket/4453 (In reply to Martin Kosek from comment #9) > Honzo, could this be related IPA not being able to fetch certificates with > longer name from certutil? > > I.e. https://fedorahosted.org/freeipa/ticket/4453 No, that bug is triggered only for certificate with nicknames longer than 61 characters. I think the upload_cacrt update plugin is to blame - it looks for a certificate nicknamed "$REALM Certificate Authority" unconditionally, which will not work in CA-less installs. Jiri, is your install CA-less (i.e. did you use the --http_pkcs12 and --dirsrv_pkcs12 options when you run ipa-server-install)? Can you please post the output of "certutil -d /etc/dirsrv/slapd-BRQ-IPA-RHEV-LAB-ENG-BRQ-REDHAT-COM -L"? I'm just user of this IPA server but pstehlik@ told me he could not install it but then he was successful with help of mkosek@. It can be possible that CA-less install is what we have. # certutil -d /etc/dirsrv/slapd-BRQ-IPA-RHEV-LAB-ENG-BRQ-REDHAT-COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,,C Server-Cert u,u,u Honza, it may have happened that it was a --selfsign installation that was then later converted to CA-less automatically. Do I read Comment 12 correctly that you have identified a bug in FreeIPA code and we should thus create an upstream ticket? Yes, I think --selfsign is involved, but I have not yet exactly identified the bug. Looking at the upgrade log, I can see the empty certificate got into LDAP during the upgrade, in the upload_cacrt update plugin. The plugin should have looked for a certificate named "$REALM IPA CA" (which you can see in the certutil output in comment 13), but it looked for "$REALM Certificate Authority" instead. Ever since upload_cacrt was introduced, "$REALM Certificate Authority" is not used anywhere in the related code, so I can only guess there was some mixup with code from the IPA version the server was upgraded from. Cloning to FreeIPA Trac, this might be solved with latest Jan's patches. See thread: [Freeipa-devel] [PATCHES] 319, 324-335 CA management and renewal fixes Upstream ticket: https://fedorahosted.org/freeipa/ticket/4565 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/39e474e14e5f02db89fc444fd08f4c6b6cbdf9d3 https://fedorahosted.org/freeipa/changeset/95a628cfb9998dfb0a16a43077667d266ee9df17 https://fedorahosted.org/freeipa/changeset/572d68b5392ae23747d48e9328e4e0df42029b58 https://fedorahosted.org/freeipa/changeset/fa500686075e38b687732f1c9443dbca81b5d9f4 ipa-4-1: https://fedorahosted.org/freeipa/changeset/4154c8893fda39c44af2558a3bb6ce0c6713feb9 https://fedorahosted.org/freeipa/changeset/ad77613be6db202720bfb8e491d2f06bd5013aea https://fedorahosted.org/freeipa/changeset/6e672109ea48f995deac95094cea6d03650bdd13 https://fedorahosted.org/freeipa/changeset/f0a49b962c268c32db6179c60017fc04826af179 So, how can we test this? Do we need to setup rhel7.0 IPA and switch from self-signed to external CA and then upgrade? 1. Install IPA server 2. Delete all entries under cn=certificates,cn=ipa,cn=etc,$SUFFIX 3. Put empty string in cACertificate;binary in cn=CACert,cn=ipa,cn=etc,$SUFFIX 4. Check that ipa-client-install succeeds 5. Run ipa-server-upgrade on the server 6. Check that cn=certificates,cn=ipa,cn=etc,$SUFFIX has been repopulated and that cn=CACert,cn=ipa,cn=etc,$SUFFIX has a non-empty cACertificate;binary Do I just test this on RHEL7.2 or should I start earlier? Is #4 on a different host I'm assuming? Thanks, Scott You can do this with RHEL 7.2 server. Step 4 has to be done on different (client) host. Verified. Version :: ipa-server-4.2.0-12.el7.x86_64 Results :: [root@master yum.repos.d]# ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=master.testrelm.test --ip-address=192.168.122.72 -n testrelm.test -r TESTRELM.TEST -a Secret123 -p Secret123 -U ... install looks normal ... [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b "cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test" dn: cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test objectClass: nsContainer objectClass: top cn: certificates dn: cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 cn: TESTRELM.TEST IPA CA objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=Certificate Authority,O=TESTRELM.TEST ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsaamGbJVI+pHwMDca4A x6/WAutX3NG8FG0qktxxe1B5Q/fJhEArJ8TYv2VEnIXlC14/rJpeUWXWgU2B1f6syus/4JE1wYwWJ WAO/xeE5PUjfHdqvUjw7mqCxF0isrO33cgmFzuFApyxOXxo7yEnzsNwLanc5lkaV7lkH/J3ullgMA J/xrHlT3jWMfUCd9dIT4RRMqMSIcTXDVEav7o93+/cM7+C/KD54jzVEII6E4dA2fAXZxPhDXGUXrZ /uYiN8qegvILYVgLRyT0l3OSZ5ngH9Z8wE5h0X0qLTOU58jsBoHKt7bu44NS/JUnwC7D6xb5wgi/W Pr1y07wXIBSYs0QIDAQAB cACertificate;binary:: MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQ KDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDAx MTMzNjQ0WhcNMzUxMDAxMTMzNjQ0WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDD BVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxpq YZslUj6kfAwNxrgDHr9YC61fc0bwUbSqS3HF7UHlD98mEQCsnxNi/ZUScheULXj+sml5RZdaBTYHV /qzK6z/gkTXBjBYlYA7/F4Tk9SN8d2q9SPDuaoLEXSKys7fdyCYXO4UCnLE5fGjvISfOw3AtqdzmW RpXuWQf8ne6WWAwAn/GseVPeNYx9QJ310hPhFEyoxIhxNcNURq/uj3f79wzv4L8oPniPNUQgjoTh0 DZ8BdnE+ENcZRetn+5iI3yp6C8gthWAtHJPSXc5JnmeAf1nzATmHRfSotM5TnyOwGgcq3tu7jg1L8 lSfALsPrFvnCCL9Y+vXLTvBcgFJizRAgMBAAGjgagwgaUwHwYDVR0jBBgwFoAUUod/Oprevb3Bu3f Vydhdfx8b2U0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFKHfzqa 3r29wbt31cnYXX8fG9lNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL21hc3Rlc i50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFF8qiRhjiarAaqliP cp5Cm2YZ1jqpK2jDi2PlszM/mnL/QDiD+Jl5P0APgPAGbnrnmxZRuSXcZDLjnIUMt0Mq1kSMOra/g K5e5ivMyvNp/r3MdUAtUjmu6ott5iqoMDPjDOVeOqEDv2i6Trtrpj5NhtRYNQ0jxJJ/GW0oYLql+L HKkkj8dxpsnB6dPLGiguLx4xcsrV/wOiMNwtznmsXiEMdwGIpd77aUtyNWXOzl7iZT37NhuDV1WZC d6IXACAGaGSIanbSDfAbXIhhaHzy62UwfFZBYiPWUjGR2y1RfersZwJ388us1sNxM252me8KTD+bF kDZEvYbO/DM2RBEso= ipaKeyTrust: trusted ipaCertIssuerSerial: CN=Certificate Authority,O=TESTRELM.TEST;1 ipaConfigString: compatCA ipaConfigString: ipaCA [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b "cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test"|grep ^dn dn: cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test dn: cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test [root@master ~]# ldapdelete -x -D "cn=Directory Manager" -w Secret123 "cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test" [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b "cn=CACert,cn=ipa,cn=etc,dc=testrelm,dc=test" dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary:: MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQ KDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDAx MTMzNjQ0WhcNMzUxMDAxMTMzNjQ0WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDD BVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxpq YZslUj6kfAwNxrgDHr9YC61fc0bwUbSqS3HF7UHlD98mEQCsnxNi/ZUScheULXj+sml5RZdaBTYHV /qzK6z/gkTXBjBYlYA7/F4Tk9SN8d2q9SPDuaoLEXSKys7fdyCYXO4UCnLE5fGjvISfOw3AtqdzmW RpXuWQf8ne6WWAwAn/GseVPeNYx9QJ310hPhFEyoxIhxNcNURq/uj3f79wzv4L8oPniPNUQgjoTh0 DZ8BdnE+ENcZRetn+5iI3yp6C8gthWAtHJPSXc5JnmeAf1nzATmHRfSotM5TnyOwGgcq3tu7jg1L8 lSfALsPrFvnCCL9Y+vXLTvBcgFJizRAgMBAAGjgagwgaUwHwYDVR0jBBgwFoAUUod/Oprevb3Bu3f Vydhdfx8b2U0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFKHfzqa 3r29wbt31cnYXX8fG9lNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL21hc3Rlc i50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFF8qiRhjiarAaqliP cp5Cm2YZ1jqpK2jDi2PlszM/mnL/QDiD+Jl5P0APgPAGbnrnmxZRuSXcZDLjnIUMt0Mq1kSMOra/g K5e5ivMyvNp/r3MdUAtUjmu6ott5iqoMDPjDOVeOqEDv2i6Trtrpj5NhtRYNQ0jxJJ/GW0oYLql+L HKkkj8dxpsnB6dPLGiguLx4xcsrV/wOiMNwtznmsXiEMdwGIpd77aUtyNWXOzl7iZT37NhuDV1WZC d6IXACAGaGSIanbSDfAbXIhhaHzy62UwfFZBYiPWUjGR2y1RfersZwJ388us1sNxM252me8KTD+bF kDZEvYbO/DM2RBEso= [root@master ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 <<EOF dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test changetype: delete EOF deleting entry "cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test" [root@master ~]# ldapmodify -D "cn=Directory Manager" -w Secret123 <<EOF dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test changetype: add objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary: > EOF adding new entry "cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test" [root@master ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test" # extended LDIF # # LDAPv3 # base <cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL # # CAcert, ipa, etc, testrelm.test dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary: # search result search: 2 result: 0 Success ################################################################ # Now running on CLIENT ################################################################ [root@client yum.repos.d]# ipa-client-install -w Secret123 -p admin Discovery was successful! Client hostname: client.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to download CA cert from LDAP. Do you want to download the CA cert from http://master.testrelm.test/ipa/config/ca.crt? (this is INSECURE) [no]: yes Downloading the CA certificate via HTTP, this is INSECURE Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Thu Oct 01 13:36:44 2015 UTC Valid Until: Mon Oct 01 13:36:44 2035 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://master.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Hostname (client.testrelm.test) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.122.73. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. ################################################################ # Now running on MASTER ################################################################ [root@master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating mod_nss protocol versions] [Fixing trust flags in /etc/httpd/alias] [Exporting KRA agent PEM file] KRA is not installed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] [Masking named] [Fix bind-dyndb-ldap IPA working directory] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 3] Certmonger certificate renewal configuration is already at version 3 [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] pki-ca configuration changed, restart pki-ca [Ensuring CA is using LDAPProfileSubsystem] [Ensuring presence of included profiles] [Add default CA ACL] The IPA services were upgraded The ipa-server-upgrade command was successful [root@master ~]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b "cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test" # extended LDIF # # LDAPv3 # base <cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL # # CAcert, ipa, etc, testrelm.test dn: cn=CAcert,cn=ipa,cn=etc,dc=testrelm,dc=test objectClass: nsContainer objectClass: pkiCA objectClass: top cn: CAcert cACertificate;binary:: MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQ KDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDAx MTMzNjQ0WhcNMzUxMDAxMTMzNjQ0WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDD BVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxpq YZslUj6kfAwNxrgDHr9YC61fc0bwUbSqS3HF7UHlD98mEQCsnxNi/ZUScheULXj+sml5RZdaBTYHV /qzK6z/gkTXBjBYlYA7/F4Tk9SN8d2q9SPDuaoLEXSKys7fdyCYXO4UCnLE5fGjvISfOw3AtqdzmW RpXuWQf8ne6WWAwAn/GseVPeNYx9QJ310hPhFEyoxIhxNcNURq/uj3f79wzv4L8oPniPNUQgjoTh0 DZ8BdnE+ENcZRetn+5iI3yp6C8gthWAtHJPSXc5JnmeAf1nzATmHRfSotM5TnyOwGgcq3tu7jg1L8 lSfALsPrFvnCCL9Y+vXLTvBcgFJizRAgMBAAGjgagwgaUwHwYDVR0jBBgwFoAUUod/Oprevb3Bu3f Vydhdfx8b2U0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFKHfzqa 3r29wbt31cnYXX8fG9lNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL21hc3Rlc i50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFF8qiRhjiarAaqliP cp5Cm2YZ1jqpK2jDi2PlszM/mnL/QDiD+Jl5P0APgPAGbnrnmxZRuSXcZDLjnIUMt0Mq1kSMOra/g K5e5ivMyvNp/r3MdUAtUjmu6ott5iqoMDPjDOVeOqEDv2i6Trtrpj5NhtRYNQ0jxJJ/GW0oYLql+L HKkkj8dxpsnB6dPLGiguLx4xcsrV/wOiMNwtznmsXiEMdwGIpd77aUtyNWXOzl7iZT37NhuDV1WZC d6IXACAGaGSIanbSDfAbXIhhaHzy62UwfFZBYiPWUjGR2y1RfersZwJ388us1sNxM252me8KTD+bF kDZEvYbO/DM2RBEso= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@master ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b "cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test" dn: cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test objectClass: nsContainer objectClass: top cn: certificates dn: cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 cn: TESTRELM.TEST IPA CA objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=Certificate Authority,O=TESTRELM.TEST ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsaamGbJVI+pHwMDca4A x6/WAutX3NG8FG0qktxxe1B5Q/fJhEArJ8TYv2VEnIXlC14/rJpeUWXWgU2B1f6syus/4JE1wYwWJ WAO/xeE5PUjfHdqvUjw7mqCxF0isrO33cgmFzuFApyxOXxo7yEnzsNwLanc5lkaV7lkH/J3ullgMA J/xrHlT3jWMfUCd9dIT4RRMqMSIcTXDVEav7o93+/cM7+C/KD54jzVEII6E4dA2fAXZxPhDXGUXrZ /uYiN8qegvILYVgLRyT0l3OSZ5ngH9Z8wE5h0X0qLTOU58jsBoHKt7bu44NS/JUnwC7D6xb5wgi/W Pr1y07wXIBSYs0QIDAQAB cACertificate;binary:: MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQ KDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDAx MTMzNjQ0WhcNMzUxMDAxMTMzNjQ0WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDD BVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxpq YZslUj6kfAwNxrgDHr9YC61fc0bwUbSqS3HF7UHlD98mEQCsnxNi/ZUScheULXj+sml5RZdaBTYHV /qzK6z/gkTXBjBYlYA7/F4Tk9SN8d2q9SPDuaoLEXSKys7fdyCYXO4UCnLE5fGjvISfOw3AtqdzmW RpXuWQf8ne6WWAwAn/GseVPeNYx9QJ310hPhFEyoxIhxNcNURq/uj3f79wzv4L8oPniPNUQgjoTh0 DZ8BdnE+ENcZRetn+5iI3yp6C8gthWAtHJPSXc5JnmeAf1nzATmHRfSotM5TnyOwGgcq3tu7jg1L8 lSfALsPrFvnCCL9Y+vXLTvBcgFJizRAgMBAAGjgagwgaUwHwYDVR0jBBgwFoAUUod/Oprevb3Bu3f Vydhdfx8b2U0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFKHfzqa 3r29wbt31cnYXX8fG9lNMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL21hc3Rlc i50ZXN0cmVsbS50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFF8qiRhjiarAaqliP cp5Cm2YZ1jqpK2jDi2PlszM/mnL/QDiD+Jl5P0APgPAGbnrnmxZRuSXcZDLjnIUMt0Mq1kSMOra/g K5e5ivMyvNp/r3MdUAtUjmu6ott5iqoMDPjDOVeOqEDv2i6Trtrpj5NhtRYNQ0jxJJ/GW0oYLql+L HKkkj8dxpsnB6dPLGiguLx4xcsrV/wOiMNwtznmsXiEMdwGIpd77aUtyNWXOzl7iZT37NhuDV1WZC d6IXACAGaGSIanbSDfAbXIhhaHzy62UwfFZBYiPWUjGR2y1RfersZwJ388us1sNxM252me8KTD+bF kDZEvYbO/DM2RBEso= ipaKeyTrust: trusted ipaCertIssuerSerial: CN=Certificate Authority,O=TESTRELM.TEST;1 ipaConfigString: ipaCa Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |
Created attachment 928738 [details] ipaclient-install.log Description of problem: # ipa-client-install --domain brq-ipa.rhev.lab.eng.brq.redhat.com --server brq-ipa.rhev.lab.eng.brq.redhat.com --mkhomedir Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: jb-rhel7.rhev.lab.eng.brq.redhat.com Realm: BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM DNS Domain: brq-ipa.rhev.lab.eng.brq.redhat.com IPA Server: brq-ipa.rhev.lab.eng.brq.redhat.com BaseDN: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin.LAB.ENG.BRQ.REDHAT.COM: cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None Installation failed. Rolling back changes. IPA client is not configured on this system. ... 2014-08-20T09:17:28Z DEBUG trying to retrieve CA cert via LDAP from brq-ipa.rhev.lab.eng.brq.redhat.com 2014-08-20T09:17:28Z DEBUG flushing ldap://brq-ipa.rhev.lab.eng.brq.redhat.com:389 from SchemaCache 2014-08-20T09:17:28Z DEBUG retrieving schema for SchemaCache url=ldap://brq-ipa.rhev.lab.eng.brq.redhat.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x18a59e0> 2014-08-20T09:17:28Z DEBUG cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None 2014-08-20T09:17:28Z ERROR cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None 2014-08-20T09:17:28Z ERROR Installation failed. Rolling back changes. 2014-08-20T09:17:28Z ERROR IPA client is not configured on this system. ... Version-Release number of selected component (if applicable): ipa-python-3.3.3-28.el7.x86_64 ipa-client-3.3.3-28.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. ipa-client-install --domain brq-ipa.rhev.lab.eng.brq.redhat.com --server brq-ipa.rhev.lab.eng.brq.redhat.com --mkhomedir 2. 3. Actual results: failure Expected results: should work Additional info: workaround: - ssh root.lab.eng.brq.redhat.com 'openssl x509 -in /etc/pki/tls/certs/ca.crt -text' > /tmp/out.crt - add '--ca-cert-file=/tmp/out.crt' as arg for ipa-client-install