Bug 1347112
| Summary: | IPA 4.2.0 while Replica install "Could not find a CA cert" | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ozmen62 | ||||||
| Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | abokovoy, ipa-maint, jhrozek, mkosek, ozmen62, pvoborni, rcritten, ssorce | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-06-22 17:19:13 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
in actual result, i paste different install procces result. it should be like this 2016-06-15T13:42:30Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Could not find a CA cert in /tmp/tmpfDD_Lzipa/realm_info/dscert.p12 2016-06-15T13:42:30Z ERROR Could not find a CA cert in /tmp/tmpfDD_Lzipa/realm_info/dscert.p12 The temp folder should contain content of the replica file generated by ipa-replica-prepare util.So it is expected that it will be eventually deleted/unlinked. Isn't the unlinking done in cleanup after failed installation? Could you attach ipareplica-install.log? Created attachment 1169675 [details]
ipareplica-install
Created attachment 1169676 [details]
install log with strace
Is fixed in FreeIPA 4.2.4: https://fedorahosted.org/freeipa/ticket/5598 http://koji.fedoraproject.org/koji/buildinfo?buildID=746422 |
Description of problem: While replica install it can setup ca files from /tmp/tmp.... directory until some point. After that install script remove file by using unlink. That couses a problem. Because further install proccess is looking for same files, but isn't able to find it in /tmp/tmp.. directory Version-Release number of selected component (if applicable): OS = CentOS 7.2.1511 Updated (Both Master and Replica) IPA = 4.2.0 API=2.156 (Both Master and Replica) How reproducible: To reproduce that need to go around some previus problems First, - take a copy of /etc/ipa/ca.cer as PEM format. Because prepare script makes it changed in to binary file # touch /root/cacerts.p12 "because prepare scripts looks for it" and "makes it changed" - as decribed in formal redhat 7 replica doc - run prepare script on master - cp gpg file to replica with scp on master - install ipa-server and ipa-dns-server on replica - run ipa-replica-install --setup-ca --setup-dns --no-forvarder /path/replica.example.com.gpg Actual results: File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 634, in create_from_pkcs12 raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) 2016-06-15T13:42:30Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Could not find a CA cert in /tmp/tmp80pzXcipa/realm_info/dscert.p12 2016-06-15T13:42:30Z ERROR Could not find a CA cert in /tmp/tmp80pzXcipa/realm_info/dscert.p12 if you do setup with strace you can see that in middle of the process lstat("/tmp/tmpfDD_Lzipa/realm_info/dirsrv_pin.txt", {st_mode=S_IFREG|0644, st_size=1, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/dirsrv_pin.txt") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/cacert.p12", {st_mode=S_IFREG|0644, st_size=12404, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/cacert.p12") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/dscert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/dscert.p12") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/dogtagcert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/dogtagcert.p12") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/dogtag_directory_port.txt", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/dogtag_directory_port.txt") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/http_pin.txt", {st_mode=S_IFREG|0644, st_size=1, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/http_pin.txt") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt.orig", {st_mode=S_IFREG|0400, st_size=40, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt.orig") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt", {st_mode=S_IFREG|0600, st_size=40, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/httpcert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/httpcert.p12") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/ra.p12", {st_mode=S_IFREG|0600, st_size=3578, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/ra.p12") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/ca.crt", {st_mode=S_IFREG|0444, st_size=12404, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/ca.crt") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/preferences.html", {st_mode=S_IFREG|0644, st_size=3089, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/preferences.html") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/configure.jar", {st_mode=S_IFREG|0644, st_size=3411, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/configure.jar") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/default.conf", {st_mode=S_IFREG|0644, st_size=248, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/default.conf") = 0 lstat("/tmp/tmpfDD_Lzipa/realm_info/realm_info", {st_mode=S_IFREG|0644, st_size=167, ...}) = 0 unlink("/tmp/tmpfDD_Lzipa/realm_info/realm_info") = 0 rmdir("/tmp/tmpfDD_Lzipa/realm_info") = 0 rmdir("/tmp/tmpfDD_Lzipa") Expected results: Success