Bug 1515314

Description of problem:

Repeated prompting for a PIN during ipa-replica-install No keys are set on the private keys but no value is accepted and even if a pin is set the installer just rolls back.


We successfully stood up the master node without any issues. We are attempting to setup our first replica and we noticed that during the ipa-replica-install process the installer is asking pin for the private key. The keys provided do not have any passwords/pins on the keys.

The certificates provided for the master also does not have a pin for the private key and the installer did ask, however simply hitting enter allowed us to proceed to the next step. That doesn't seem to be the same with the ipa-replica-install.  Eventually if you enter anything it rolls back the install. 

Just for testing we did add a password to the private key and retried but this did not seem to have an effect on the installer process. Even with a password on the key, when we entered it, it simply rolled back. 

Version-Release number of selected component (if applicable):


How reproducible:
ipa-server-4.5.0-21.el7


Steps to Reproduce:
1. Deploy a CA-less IdM configuration with a master node
2. Attempt to stand up replica (ipa-replica-install) with http and dirsrv certificates for the replica


Actual results:

[root@cbscclrv0885l certs]# ipa-replica-install --setup-dns --auto-forwarders  --dirsrv-cert-file cbscclrv0885l.crt --dirsrv-cert-file cbscclrv0885l-2.key --http-cert-file cbscclrv0885l.crt --http-cert-file cbscclrv0885l-2.key --no-pkinit --principal admin --admin-password 'IdM@XXXX2017' 


Configuring client side components
Discovery was successful!
Client hostname: cbscclrv0885l.nix.tm.XXXX.com
Realm: NIX.TM.XXXX.COM
DNS Domain: nix.tm.XXXX.com
IPA Server: cbscclrv0884l.nix.tm.XXXX.com
BaseDN: dc=nix,dc=tm,dc=XXXX,dc=com

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
    Issuer:      CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
    Valid From:  2006-11-08 00:00:00
    Valid Until: 2036-07-16 23:59:59

    Subject:     CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
    Issuer:      CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
    Valid From:  2013-10-31 00:00:00
    Valid Until: 2023-10-30 23:59:59

Enrolled in IPA realm NIX.TM.XXXX.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm NIX.TM.XXXX.COM
trying https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://cbscclrv0884l.nix.tm.XXXX.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring nix.tm.XXXX.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 
Enter Apache Server private key unlock password: 

Removing client side components
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

---- LOG ----

2017-11-19T02:46:12Z DEBUG stderr=
2017-11-19T02:46:12Z DEBUG Starting external process
2017-11-19T02:46:12Z DEBUG args=/usr/sbin/ipa-client-install --unattended --uninstall
2017-11-19T02:46:15Z DEBUG Process finished, return code=0
2017-11-19T02:46:15Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 375, in validate
    for _nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 636, in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 613, in main
    replica_promote_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1043, in promote_check
    host_name=config.host_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1059, in load_pkcs12
    (", ".join(cert_files)))

2017-11-19T02:46:15Z DEBUG The ipa-replica-install command failed, exception: ScriptError: The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key
2017-11-19T02:46:15Z ERROR The full certificate chain is not present in cbscclrv0885l.crt, cbscclrv0885l.key
2017-11-19T02:46:15Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:
Installation proceeds with no pin as no pins are on the keys. Installation 

Additional info:

Client Case: https://access.redhat.com/support/cases/#/case/01977104

Same bug for ipa-server-install.

https://bugzilla.redhat.com/show_bug.cgi?id=1360769
https://pagure.io/freeipa/issue/6032