Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1438490

Summary: CA-less installation fails on publishing CA certificate
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Michal Reznik <mreznik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jcholast, ksiddiqu, mreznik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-04-03 14:02:53 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6806

CA-less installation of freeipa-server-4.5.0-0.fc25.x86_64 fails during publishing of CA cert in HTTP installer:

```console
Configuring the web interface (httpd)
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: setting up httpd keytab
  [9/21]: retrieving anonymous keytab
  [10/21]: configuring Gssproxy
  [11/21]: setting up ssl
  [12/21]: importing CA certificates from LDAP
  [13/21]: publish CA cert
  [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/usr/bin/certutil -d /etc/httpd/alias -L -n IPA.TEST IPA CA -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
This is caused by using incorrect CA cert nickname (the default one generated during CA-full install) instead of retrieving the correct nickname from the supplied PKCS#12 files (as can be seen from the content of HTTP alias directory):

```console
# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1                                                          C,,  
ca1/server                                                   u,u,u
```
Comment 2 Petr Vobornik 2017-04-03 14:03:15 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6806
Comment 3 Jan Cholasta 2017-04-03 14:04:40 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/8c87014e199b3dbe885c69d40a01d2723f813c3e
https://pagure.io/freeipa/c/aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d
ipa-4-5:
https://pagure.io/freeipa/c/ebf24e783604952e59e557b5537c6d0de6146ce4
https://pagure.io/freeipa/c/99389748beb0158811505efa606c27e1e2e0bc7b
Comment 5 Michal Reznik 2017-05-26 08:58:25 UTC 
Verified on:

ipa-server-4.5.0-9.el7.x86_64

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit
Checking DNS domain testrelm.test, please wait ...

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host master.testrelm.test
Checking DNS domain testrelm.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       master.testrelm.test
IP address(es): 192.168.222.11
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.222.1
Forward policy:   only
Reverse zone(s):  No reverse zone

Adding [192.168.222.11 master.testrelm.test] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/45]: creating directory server instance
  [2/45]: enabling ldapi
...
<snip>
...
Configuring the web interface (httpd)
  [1/20]: stopping httpd
  [2/20]: setting mod_nss port to 443
  [3/20]: setting mod_nss cipher suite
  [4/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/20]: setting mod_nss password file
  [6/20]: enabling mod_nss renegotiate
  [7/20]: adding URL rewriting rules
  [8/20]: configuring httpd
  [9/20]: setting up httpd keytab
  [10/20]: configuring Gssproxy
  [11/20]: setting up ssl
  [12/20]: importing CA certificates from LDAP
  [13/20]: publish CA cert
  [14/20]: clean up any existing httpd ccaches
  [15/20]: configuring SELinux for httpd
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: starting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
...
<snip>
...
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

In order for Firefox autoconfiguration to work you will need to
use a SSL signing certificate. See the IPA documentation for more details.
[root@master ~]# 
[root@master ~]# 
[root@master ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca1/server                                                   u,u,u
ca1                                                          C,,
Comment 6 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304