Bug 1598044

This is the report we received from ipa-upgrade tests

time:           Tue 03 Jul 2018 07:08:22 PM IST
package:        ipa-server-4.6.4-2.el7
reason:         plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
cmdline:        /usr/bin/python2 /usr/libexec/ipa/ipa-httpd-kdcproxy
executable:     /usr/libexec/ipa/ipa-httpd-kdcproxy
component:      ipa
uid:            0
username:       root
hostname:       vm-idm-001.aa1239.test
os_release:     Red Hat Enterprise Linux Server release 7.3 (Maipo)
architecture:   x86_64
kernel:         3.10.0-514.39.1.el7.x86_64
abrt_version:   2.1.11

Reports:
uReport: BTHASH=495a08502f19378984f6a39f57e911d5591393d2
ABRT Server: URL=http://faf.lab.eng.brq.redhat.com/faf/reports/bthash/495a08502f19378984f6a39f57e911d5591393d2
ABRT Server: URL=http://faf.lab.eng.brq.redhat.com/faf/reports/7008/
Beaker Task: https://beaker.engineering.redhat.com/recipes/5343501#task74963109

Full Backtrace:
plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".

Traceback (most recent call last):
  File "/usr/libexec/ipa/ipa-httpd-kdcproxy", line 215, in <module>
    sys.exit(main())
  File "/usr/libexec/ipa/ipa-httpd-kdcproxy", line 190, in main
    log=None, debug=debug)
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 491, in bootstrap
    raise errors.SystemEncodingError(encoding=fse)
SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".

Local variables in innermost frame:
fse: 'ANSI_X3.4-1968'
level: 20
overrides: {'confdir': '/etc/ipa', 'debug': False, 'log': None, 'context': 'server'}
parser: <optparse.OptionParser instance at 0x7f87e156d170>
root_logger: <logging.RootLogger object at 0x7f87eb31d690>
handler: <logging.StreamHandler object at 0x7f87e1b2f150>
self: <ipalib.API object at 0x7f87e15c5e10>
match: None
attr: 'xmlrpc_uri'

Additional information:
environ:
:LANG=C
:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
:KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
:KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache

Upstream ticket:
https://pagure.io/freeipa/issue/7646

Note that the actual issue is that RHEL 7 has no working C.UTF-8 locale, so the fix we had upstream (run kdcproxy under C.UTF-8 locale) will not work here. See bug 1361965 for more details.

I think we should move to en_US.UTF-8 here and upstream until glibc gets a properly fixed C.UTF-8 locale.

I don't think it isn't going to be that simple. The system encoding is ANSI_X3.4-1968 so that will need to be overridden every place that api.finalize() is called.

Even simple things like ipactl fail.

What matters is a system encoding utf-8 in API.bootstrap(). We already consider it an error to have non-UTF-8 encoding there. What if we fix the issue by forcing a locale with UTF-8 there instead and falling back to en_us.UTF-8 if everything fails.

        # check after logging is set up but before we create files.
        fse = sys.getfilesystemencoding()
        if fse.lower() not in {'utf-8', 'utf8'}:
            raise errors.SystemEncodingError(encoding=fse)

instead of raising an error here immediately, try to do a setlocale(LC_ALL, <current locale>.UTF-8), then if fails, do same for <en_US.UTF-8>. If that fails, raise an exception. We can even try C.UTF-8 too in the order.

We have a bit similar behavior for the default client locale in ipalib/rpc.py already (in LanguageAwareTransport.get_host_info()) where we try to retrieve a client locale for LC_MESSAGES and if fail do Accept-Language: en-us.

This would require a bit of work in client/ipa-client-common.c for C tools but nothing too dramatic.

The origin of the issue is python 3 which we don't need to worry about here.

The Accept-Language is for the web only. It doesn't deal with locale settings at all, just in the messages that the server returns to the HTTP client.

In my experiments locale.setlocale() does not work with no LANG set:

--
import locale
import sys

def set_locale(loc):
    print sys.getfilesystemencoding()
    locale.setlocale(locale.LC_ALL, loc)
    print sys.getfilesystemencoding()

set_locale('en_US')
set_locale('en_US.utf8')
--

# echo $LANG

# python test.py 
ANSI_X3.4-1968
ANSI_X3.4-1968
ANSI_X3.4-1968
ANSI_X3.4-1968

This is going to affect anything running as root or without $LANG set (so basically ipa*).

Since you are using LC_ALL, you need to define LC_ALL or it will default to ANSI, indeed:

$ LC_ALL=C.UTF-8 python l.py
UTF-8
UTF-8
UTF-8
UTF-8
$ LC_ALL=C=en_US.UTF-8 python l.py
ANSI_X3.4-1968
ANSI_X3.4-1968
ANSI_X3.4-1968
ANSI_X3.4-1968
$ LC_ALL=en_US.UTF-8 python l.py
UTF-8
UTF-8
UTF-8
UTF-8

The second test is when you have incorrect LC_ALL value (or a missing one). So my proposal stands but requires to manipulate LC_ALL instead of second argument to setlocale.

The issue mentioned in the bug also affects RFE at BZ1427105#c16 for scenario related to :

Setup IPA as CA-LESS and promote it to EXT-CA using  "OID" in option '--external-ca-profile='

Setup IPA as CA-LESS and promote it to EXT-CA using  "String-Name" in option '--external-ca-profile='

*downstream* patch has been pushed in the repo

Note: the downstream patch reverts https://pagure.io/freeipa/c/e1bd827bbf56970ddd02ec174bf2317b64e75514 Require UTF-8 fs encoding

Because this was thought to be related to an ipa-certupdate issue I was seeing elsewhere, I ran a quick check (including setting LANG):

After ipa install, everything seemed good:
[root@rhel7-4 ~]# echo $LANG
ANSI_X3.4-1968
[root@rhel7-4 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 --reverse-zone=122.168.192.in-addr.arpa. --domain=example.com --realm=EXAMPLE.COM --hostname=rhel7-4.example.com --ip-address=192.168.122.74 --ds-password=Secret123 --admin-password=Secret123 --allow-zone-overlap --unattended

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host rhel7-4.example.com
Checking DNS domain example.com., please wait ...
Checking DNS forwarders, please wait ...
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       rhel7-4.example.com
IP address(es): 192.168.122.74
Domain name:    example.com
Realm name:     EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.122.1
Forward policy:   only
Reverse zone(s):  122.168.192.in-addr.arpa.

Adding [192.168.122.74 rhel7-4.example.com] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: enabling ldapi
  [3/44]: configure autobind for root
  [4/44]: stopping directory server
  [5/44]: updating configuration in dse.ldif
  [6/44]: starting directory server
  [7/44]: adding default schema
  [8/44]: enabling memberof plugin
  [9/44]: enabling winsync plugin
  [10/44]: configuring replication version plugin
  [11/44]: enabling IPA enrollment plugin
  [12/44]: configuring uniqueness plugin
  [13/44]: configuring uuid plugin
  [14/44]: configuring modrdn plugin
  [15/44]: configuring DNS plugin
  [16/44]: enabling entryUSN plugin
  [17/44]: configuring lockout plugin
  [18/44]: configuring topology plugin
  [19/44]: creating indices
  [20/44]: enabling referential integrity plugin
  [21/44]: configuring certmap.conf
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: adding sasl mappings to the directory
  [27/44]: adding default layout
  [28/44]: adding delegation layout
  [29/44]: creating container for managed entries
  [30/44]: configuring user private groups
  [31/44]: configuring netgroups from hostgroups
  [32/44]: creating default Sudo bind user
  [33/44]: creating default Auto Member layout
  [34/44]: adding range check plugin
  [35/44]: creating default HBAC rule allow_all
  [36/44]: adding entries for topology management
  [37/44]: initializing group membership
  [38/44]: adding master entry
  [39/44]: initializing domain level
  [40/44]: configuring Posix uid/gid generation
  [41/44]: adding replication acis
  [42/44]: activating sidgen plugin
  [43/44]: activating extdom plugin
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
  [2/28]: exporting Dogtag certificate store pin
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: configure certmonger for renewals
  [10/28]: requesting RA certificate from CA
  [11/28]: setting audit signing renewal to 2 years
  [12/28]: restarting certificate server
  [13/28]: publishing the CA certificate
  [14/28]: adding RA agent as a trusted user
  [15/28]: authorizing RA to modify profiles
  [16/28]: authorizing RA to manage lightweight CAs
  [17/28]: Ensure lightweight CAs container exists
  [18/28]: configure certificate renewals
  [19/28]: configure Server-Cert certificate renewal
  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: updating IPA configuration
  [23/28]: enabling CA instance
  [24/28]: migrating certificate profiles to LDAP
  [25/28]: importing IPA certificate profiles
  [26/28]: adding default CA ACL
  [27/28]: adding 'ipa' CA entry
  [28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: disabling mod_nss OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: rhel7-4.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-4.example.com
BaseDN: dc=example,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://rhel7-4.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://rhel7-4.example.com/ipa/json'
trying https://rhel7-4.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://rhel7-4.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://rhel7-4.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://rhel7-4.example.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

[root@rhel7-4 ~]# kinit admin
Password for admin: 


[root@rhel7-4 ~]# echo $LANG
ANSI_X3.4-1968

[root@rhel7-4 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@rhel7-4 ~]# ipa-certupdate 
trying https://rhel7-4.example.com/ipa/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://rhel7-4.example.com/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://rhel7-4.example.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

[root@rhel7-4 ~]# rpm -q ipa-server certmonger 389-ds-base
ipa-server-4.6.4-5.el7.x86_64
certmonger-0.78.4-8.el7.x86_64
389-ds-base-1.3.8.4-10.el7.x86_64

FYI, the first time I ran the test without setting LANG and saw same results.

Still need the test cases Nikhil mentioned before run but, he's going to post those results when the RFE testing is complete.

ipa-server-version: ipa-server-4.6.4-6.el7.x86_64 

Verified the bug on the basis of below observations:

1. Verified that the scenario#5 of 'Setup IPA as CA-LESS and promote it to EXT-CA using  "OID" in option '--external-ca-profile=' which is mentioned at https://bugzilla.redhat.com/show_bug.cgi?id=1427105#c14 is now successful.


Setup IPA-Master as CA-less:

[root@cloud-qe-17 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@cloud-qe-17 ~]# tail -1 /var/log/ipaserver-install.log 
2018-08-21T07:54:14Z INFO The ipa-server-install command was successful

[root@cloud-qe-17 ~]# kinit admin
Password for admin: 

# Promote IPA to EXT-CA using  "OID" in option '--external-ca-profile='
[root@cloud-qe-17 ~]# ipa-ca-install --external-ca --external-ca-type=ms-cs --external-ca-profile=1.3.6.1.4.1.311.21.8.9362932.12504478.13451942.9553642.3917922.178.6294823.5261476:100:5
Directory Manager (existing master) password: 

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-ca-install as:
/usr/sbin/ipa-ca-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
[root@cloud-qe-17 ~]# cat /root/ipa.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7zCCAdcCAQAwODEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEeMBwGA1UEAxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArRnJ+ZRg0x39hlNzOv+Q8+deDU1Gx65IKqtN5Rv2C4FNfjMwRiqebCM5
ILxnXY5TYmSwHR1qYe/06j1bqaFxYJM3++iywr1i5NN64/CPMbxBBM4xT0T3c8VL
3w157g6dw4WcLGhY/anZC8zPTmCwyJYjsogZfMgRvBV+bTaMweO32Z8qHroOIM38
E7rF1ZUIfJ1getDB0LLiPTDx2qO0SqC9LHpPr5wQKPD/0mtqeYsppJKF2ByLtTeO
H3K1vw52J/JL9ASiHxdrdWuHonxfVabzexVMJ+0ThtQNffGnOtJwtlDrBEipiQSb
Lwoqzh/X+TLUjA0qLYNpNKs3QeteyQIDAQABoHIwcAYJKoZIhvcNAQkOMWMwYTA+
BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiEu7t0hfubHoa1hSaEx41qge+QYoEy
g4CaJ4LBkSQCAWQCAQUwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYw
DQYJKoZIhvcNAQELBQADggEBADO/1QHFr4uMIdWIeJLMpXI8OJVeCUQwvwcqM11g
h0kGBmvCzbBldFXNqUIegX+tNmIvbzNUCOuBc1XkbOoiux8mz5om2dJM1D1YLu6K
LLJwvEhWz0HI3eI/MpFdChh1AalxcSCWRwSc31NluoaqCEEskraS5sagfXGcsWRE
MUQwbKWnKPSzwmLJiUA2LUp8Ax1kVz7w6h8lDcfpGSQDRx+aU0ax5W7LRWEkfUwD
25pV0Xa6a+W8G2/0SqW0e7L0TFPiU6UO73+O7j6EtXdClnxvtl6t1sOnTfgYjdbS
3VYv70GkKX9ur8K1yvZhe9qA1bqFQ+tS1nv6eGqWiEtcQtg=
-----END NEW CERTIFICATE REQUEST-----
[root@cloud-qe-17 ~]# pwd
/root
[root@cloud-qe-17 ~]# ls -l
total 64
-rw-------. 1 root root 21267 Aug 20 08:09 anaconda-ks.cfg
-rw-rw-r--. 1 root root  1118 Aug 21 03:56 ipa.csr
drwxr-xr-x. 3 root root    21 Aug 20 08:14 ipa-pytest-config
drwxr-xr-x. 9 root root   185 Aug 20 08:18 ipa-pytests
-rw-r--r--. 1 root root     4 Aug 20 08:08 NETBOOT_METHOD.TXT
-rw-------. 1 root root 20764 Aug 20 08:09 original-ks.cfg
-rw-r--r--. 1 root root     8 Aug 20 08:08 RECIPE.TXT
-rw-------. 1 root root  3221 Aug 21 03:54 replica.p12

# Use CSR to genratate new base64-encoded using Microsoft Active Directory Certificate Services and copy it to the IPA-server as 'certnew.cer' and 'certnew.p7b'

[root@cloud-qe-17 ~]# ls -l
total 72
-rw-------. 1 root root 21267 Aug 20 08:09 anaconda-ks.cfg
-rw-r--r--. 1 root root  1892 Aug 21 03:59 certnew.cer
-rw-r--r--. 1 root root  3146 Aug 21 03:59 certnew.p7b
-rw-rw-r--. 1 root root  1118 Aug 21 03:56 ipa.csr
drwxr-xr-x. 3 root root    21 Aug 20 08:14 ipa-pytest-config
drwxr-xr-x. 9 root root   185 Aug 20 08:18 ipa-pytests
-rw-r--r--. 1 root root     4 Aug 20 08:08 NETBOOT_METHOD.TXT
-rw-------. 1 root root 20764 Aug 20 08:09 original-ks.cfg
-rw-r--r--. 1 root root     8 Aug 20 08:08 RECIPE.TXT
-rw-------. 1 root root  3221 Aug 21 03:54 replica.p12

# Copy the AD's root-CA to IPA-Master, by using export to File option in AD. In my case it is named as 'ADcer-rootca.cer' 

[root@cloud-qe-17 ~]# ls -l
total 76
-rw-r--r--. 1 root root  1250 Aug 21 04:06 ADcer-rootca.cer
-rw-------. 1 root root 21267 Aug 20 08:09 anaconda-ks.cfg
-rw-r--r--. 1 root root  1892 Aug 21 03:59 certnew.cer
-rw-r--r--. 1 root root  3146 Aug 21 03:59 certnew.p7b
-rw-rw-r--. 1 root root  1118 Aug 21 03:56 ipa.csr
drwxr-xr-x. 3 root root    21 Aug 20 08:14 ipa-pytest-config
drwxr-xr-x. 9 root root   185 Aug 20 08:18 ipa-pytests
-rw-r--r--. 1 root root     4 Aug 20 08:08 NETBOOT_METHOD.TXT
-rw-------. 1 root root 20764 Aug 20 08:09 original-ks.cfg
-rw-r--r--. 1 root root     8 Aug 20 08:08 RECIPE.TXT
-rw-------. 1 root root  3221 Aug 21 03:54 replica.p12

[root@cloud-qe-17 ~]# ipa-ca-install --external-cert-file=/root/certnew.cer --external-cert-file=/root/ADcer-rootca.cer
Directory Manager (existing master) password: 

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
  [2/28]: exporting Dogtag certificate store pin
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: configure certmonger for renewals
  [10/28]: requesting RA certificate from CA
  [11/28]: setting audit signing renewal to 2 years
  [12/28]: restarting certificate server
  [13/28]: publishing the CA certificate
  [14/28]: adding RA agent as a trusted user
  [15/28]: authorizing RA to modify profiles
  [16/28]: authorizing RA to manage lightweight CAs
  [17/28]: Ensure lightweight CAs container exists
  [18/28]: configure certificate renewals
  [19/28]: configure Server-Cert certificate renewal
  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: updating IPA configuration
  [23/28]: enabling CA instance
  [24/28]: migrating certificate profiles to LDAP
  [25/28]: importing IPA certificate profiles
  [26/28]: adding default CA ACL
  [27/28]: adding 'ipa' CA entry
  [28/28]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@cloud-qe-17 ~]# echo $?
0
[root@cloud-qe-17 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@cloud-qe-17 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@cloud-qe-17 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Thus the 'ipa-ca-install' command is successful.

Thus on the basis of above observations and comment#14, marking the status of bug to 'VERIFIED'.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187