Bug 1438490

Summary: CA-less installation fails on publishing CA certificate
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jcholast, ksiddiqu, mreznik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-04-03 14:02:53 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6806

CA-less installation of freeipa-server-4.5.0-0.fc25.x86_64 fails during publishing of CA cert in HTTP installer:

```console
Configuring the web interface (httpd)
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: setting up httpd keytab
  [9/21]: retrieving anonymous keytab
  [10/21]: configuring Gssproxy
  [11/21]: setting up ssl
  [12/21]: importing CA certificates from LDAP
  [13/21]: publish CA cert
  [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
This is caused by using incorrect CA cert nickname (the default one generated during CA-full install) instead of retrieving the correct nickname from the supplied PKCS#12 files (as can be seen from the content of HTTP alias directory):

```console
# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                                   u,u,u
```
Comment 2 Petr Vobornik 2017-04-03 14:03:15 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6806
Comment 3 Jan Cholasta 2017-04-03 14:04:40 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/8c87014e199b3dbe885c69d40a01d2723f813c3e
https://pagure.io/freeipa/c/aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d
ipa-4-5:
https://pagure.io/freeipa/c/ebf24e783604952e59e557b5537c6d0de6146ce4
https://pagure.io/freeipa/c/99389748beb0158811505efa606c27e1e2e0bc7b
Comment 5 Michal Reznik 2017-05-26 08:58:25 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit
Checking DNS domain testrelm.test, please wait ...

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host master.testrelm.test
Checking DNS domain testrelm.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       master.testrelm.test
IP address(es): 192.168.222.11
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.222.1
Forward policy:   only
Reverse zone(s):  No reverse zone

Adding [192.168.222.11 master.testrelm.test] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/45]: creating directory server instance
  [2/45]: enabling ldapi
...
<snip>
...
Configuring the web interface (httpd)
  [1/20]: stopping httpd
  [2/20]: setting mod_nss port to 443
  [3/20]: setting mod_nss cipher suite
  [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/20]: setting mod_nss password file
  [6/20]: enabling mod_nss renegotiate
  [7/20]: adding URL rewriting rules
  [8/20]: configuring httpd
  [9/20]: setting up httpd keytab
  [10/20]: configuring Gssproxy
  [11/20]: setting up ssl
  [12/20]: importing CA certificates from LDAP
  [13/20]: publish CA cert
  [14/20]: clean up any existing httpd ccaches
  [15/20]: configuring SELinux for httpd
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: starting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
...
<snip>
...
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
[root@master ~]# 
[root@master ~]# 
[root@master ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1/server                                                   u,u,u
ca1                                                          C,,
Comment 6 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304