Bug 1159086
| Summary: | RHEL7.1 ipa-server-install with external-cert-file from ADCS fails | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.1 | CC: | mkosek, pvoborni, rcritten | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-10-31 17:48:17 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 952361 [details]
ipaserver-install.log
I think this is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1129558 To install FreeIPA with MS external CA, use command line switch --external-ca-type=ms-cs --external-ca-type=ms-cs switch will only make sure that MS CS accepts the IPA subCA request in the GUI, without having to do magic in the PowerShell terminal. I wonder what pki-ca version did you use, there is a very related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1151147 That may be at least part of my problem. When I tested with the fixed version of pki, it definitely gets farther but, now I'm seeing timeouts. I've seen this now with a couple attempted re-installs and one fresh install. [20/27]: requesting RA certificate from CA [21/27]: issuing RA agent certificate [22/27]: adding RA agent as a trusted user [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [25/27]: configure RA certificate renewal [26/27]: configure Server-Cert certificate renewal [27/27]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). CA did not start in 300.0s Any thoughts on that? (In reply to Scott Poore from comment #5) I think you see bug 1155654 Petr, Yes, I think you're right. Thanks for the info. So, I'm closing this as a duplicate of bug 1151147. The latter issue I'll track in that bug. Thanks guys. *** This bug has been marked as a duplicate of bug 1151147 *** |
Description of problem: I'm trying to use the Microsoft Active Directory Certificate Service on a 2008r2 server to sign the certificate request. I'm having a problem with the install. It's failing at or after the RA request: [20/27]: requesting RA certificate from CA [error] IndexError: list index out of range Unexpected error - see /var/log/ipaserver-install.log for details: IndexError: list index out of range Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Setup 2008r2 ADCS server. 2. ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-ca 3. copy ipa.csr to ADCS server and sign via web site. Also, Download CA Cert chain from ADCS. 4. Copy ipa.cer and adcs CA cert chain back to IPA server. 5. ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -ncret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs1_chain.p7b # this fails. I'm assuming the p7b format the ADCS returned for the chain is not supported. If it is, can open different bug for that. So, I import it to an NSSDB I can then export into a format I thought would work. 6. mkdir testnssdb 7. cd testnssdb/ 8. certutil -N -d . 9. certutil -A -d . -i /root/adcs1_chain.p7b -n adcs1 -t TCu,TCu,TCu 10. certutil -L -d . -n adcs1 -a > adcs1.asc 11. ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/testnssdb/adcs1.asc Actual results: [20/27]: requesting RA certificate from CA [error] IndexError: list index out of range Unexpected error - see /var/log/ipaserver-install.log for details: IndexError: list index out of range Snippet from Log: Generating key. This may take a few moments... 2014-10-30T21:58:25Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1147, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data IndexError: list index out of range 2014-10-30T21:58:25Z DEBUG [error] IndexError: list index out of range 2014-10-30T21:58:25Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1170, in main ca_signing_algorithm=options.ca_signing_algorithm) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 518, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1147, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2014-10-30T21:58:25Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range Expected results: Installs IPA cleanly with no errors. Additional info: