Bug 1438490
Summary: | CA-less installation fails on publishing CA certificate | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | jcholast, ksiddiqu, mreznik, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-5.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:47:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-04-03 14:02:53 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6806 Fixed upstream master: https://pagure.io/freeipa/c/8c87014e199b3dbe885c69d40a01d2723f813c3e https://pagure.io/freeipa/c/aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d ipa-4-5: https://pagure.io/freeipa/c/ebf24e783604952e59e557b5537c6d0de6146ce4 https://pagure.io/freeipa/c/99389748beb0158811505efa606c27e1e2e0bc7b Verified on: ipa-server-4.5.0-9.el7.x86_64 [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit Checking DNS domain testrelm.test, please wait ... The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host master.testrelm.test Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... The IPA Master Server will be configured with: Hostname: master.testrelm.test IP address(es): 192.168.222.11 Domain name: testrelm.test Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.222.1 Forward policy: only Reverse zone(s): No reverse zone Adding [192.168.222.11 master.testrelm.test] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/45]: creating directory server instance [2/45]: enabling ldapi ... <snip> ... Configuring the web interface (httpd) [1/20]: stopping httpd [2/20]: setting mod_nss port to 443 [3/20]: setting mod_nss cipher suite [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/20]: setting mod_nss password file [6/20]: enabling mod_nss renegotiate [7/20]: adding URL rewriting rules [8/20]: configuring httpd [9/20]: setting up httpd keytab [10/20]: configuring Gssproxy [11/20]: setting up ssl [12/20]: importing CA certificates from LDAP [13/20]: publish CA cert [14/20]: clean up any existing httpd ccaches [15/20]: configuring SELinux for httpd [16/20]: create KDC proxy config [17/20]: enable KDC proxy [18/20]: starting httpd [19/20]: configuring httpd to start on boot [20/20]: enabling oddjobd Done configuring the web interface (httpd). ... <snip> ... The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. In order for Firefox autoconfiguration to work you will need to use a SSL signing certificate. See the IPA documentation for more details. [root@master ~]# [root@master ~]# [root@master ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca1/server u,u,u ca1 C,, Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |