| Summary: | [FIX] ipa-replica-install fails to create a valid cert db password | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | raal.goff | ||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.0 | CC: | benl, dpal, jgalipea | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | freeipa-2.1.3-5.fc16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-03-28 09:28:05 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
I have a feeling something else is going on, this is the first report like this. I couldn't reproduce the reported problem but the replica HTTP database was being generated with a blank password. Having an empty password isn't necessarily all that horrible but we don't want to do it by default so I instead made it so we never call with passwd='' by default, instead use passwd=None. master: d43ba5316a08249fa276cdc43338d85f784547f0 ipa-2-0: 5fab4570ad50ff400c2f95a72c9a6668545a2b8f |
Created attachment 510376 [details] Patch for fix Description of problem: When running ipa-replica-install, it will fail at the following step: Configuring the web interface: Estimated time 1 minute [1/11]: disabling mod_ssl in httpd [2/11]: setting mod_nss port to 443 [3/11]: setting mod_nss password file [4/11]: adding URL rewriting rules [5/11]: configuring httpd [6/11]: setting up ssl [7/11]: publish CA cert [8/11]: creating a keytab for httpd [9/11]: configuring SELinux for httpd [10/11]: restarting httpd creation of replica failed: Command '/sbin/service httpd restart ' returned non-zero exit status 1 Looking in /var/log/httpd/error_log shows: [Tue Jun 28 14:50:35 2011] [error] Certificate not found: 'Server-Cert' This seems to be because the password file (/etc/httpd/conf/password.conf) for the certificate db is empty. Version-Release number of selected component (if applicable): 2.0 How reproducible: Every time (for my install at least) Steps to Reproduce: 1. ipa-replica-prepare ipareplica.example.com 2. scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipareplica:/var/lib/ipa/ 3. ipa-replica-install /var/lib/ipa/replica-info-ipareplica.example.com.gpg Actual results: Replica creation fails Expected results: Replica creation should succeed Additional info: It can be fixed by changing line 300 of ipaserver/install/certs.py from: if passwd is not None: to: if passwd is not None and passwd is not "": This will force create_passwd_file to generate a password if its blank. The source of the problem could also be create_from_cacert(), since its definition makes the passwd default to '' instead of None like all others. The attached patch file should apply the fix.