Bug 754607

Summary: pkisilent fails when link local IPv6 address is present on eth0
Product: [Fedora] Fedora Reporter: Thomas Sailer <fedora>
Component: pki-silentAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: alee, dennis, kwright, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 766903 (view as bug list) Environment:
Last Closed: 2012-09-27 00:40:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 766903    

Description Thomas Sailer 2011-11-16 23:58:13 UTC 
Description of problem:
I was trying to install freeipa. The freeipa installer calls pkisilent. pkisilent failed when a link local IPv6 address was configured on eth0. In this case, the installed pki daemons (eg port 9445) only opened IPv6 listening sockets, no IPv4 sockets. This machine is IPv4 exclusively, its host name resolves to an IPv4 address only.

Version-Release number of selected component (if applicable):
pki-silent-9.0.15-1.fc16

How reproducible:
always

Steps to Reproduce:
1. as part of ipa-server-install, the following command is executed:
/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'server.xxxxx.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-HxuF_T' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'rgN1Coi9yfnvOUlxsUUw' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=AXSEM.COM' '-ldap_host' server.xxxxx.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=XXXXX.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=XXXXX.COM' '-ca_server_cert_subject_name' 'CN=axextserver1.hq.axsem.com,O=XXXXX.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=XXXXX.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=XXXXX.COM' '-external' 'false' '-clone' 'false'
  
Actual results:
exit status 255 

Expected results:
exit status 0

Additional info:
Removing the link local IPv6 address made it work for me.
Comment 1 Ade Lee 2012-03-05 19:21:32 UTC 
Need more info please.

Please provide the /etc/hosts or other configuration for the failing case.
Also please provide the dogtag logs so we try to understand what is going on.

tar cvzf ca.logs.tar.gz /var/log/pki-ca/*
also provide /var/log/pki-ca-install.log

Thanks.
Comment 2 Nathan Kinder 2012-07-09 17:25:54 UTC 
We need to get more information to be able to reproduce this issue.  Please provide the information requested in comment#1.
Comment 3 Matthew Harmsen 2012-09-27 00:40:04 UTC 
Since no further information was obtained, the following test was run:

# hostname
server.example.com

# uname -a
Linux server.example.com 3.4.9-2.fc16.x86_64 #1 SMP Thu Aug 23 17:51:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/fedora-release 
Fedora release 16 (Verne)

# ifconfig
em1       Link encap:Ethernet  HWaddr 00:1E:4F:AB:7B:1A  
          inet addr:10.14.16.14  Bcast:10.14.16.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:4fff:feab:7b1a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16125115 errors:0 dropped:9788 overruns:0 frame:0
          TX packets:11664389 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18350671303 (17.0 GiB)  TX bytes:3223102316 (3.0 GiB)
          Interrupt:16 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:124035 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124035 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:53816054 (51.3 MiB)  TX bytes:53816054 (51.3 MiB)

# /usr/sbin/setup-ds-admin.pl

# rpm -qa | egrep -i pki-\|osutil | sort | cat -n
     1	dogtag-pki-ca-theme-9.0.12-1.fc16.noarch
     2	dogtag-pki-common-theme-9.0.12-1.fc16.noarch
     3	dogtag-pki-console-theme-9.0.12-1.fc16.noarch
     4	dogtag-pki-kra-theme-9.0.12-1.fc16.noarch
     5	dogtag-pki-ocsp-theme-9.0.12-1.fc16.noarch
     6	dogtag-pki-ra-theme-9.0.12-1.fc16.noarch
     7	dogtag-pki-tks-theme-9.0.12-1.fc16.noarch
     8	dogtag-pki-tps-theme-9.0.12-1.fc16.noarch
     9	osutil-2.0.2-1.fc16.x86_64
    10	pki-ca-9.0.23-1.fc16.noarch
    11	pki-common-9.0.23-1.fc16.noarch
    12	pki-common-javadoc-9.0.23-1.fc16.noarch
    13	pki-java-tools-9.0.23-1.fc16.noarch
    14	pki-java-tools-javadoc-9.0.23-1.fc16.noarch
    15	pki-native-tools-9.0.23-1.fc16.x86_64
    16	pki-selinux-9.0.23-1.fc16.noarch
    17	pki-setup-9.0.23-1.fc16.noarch
    18	pki-silent-9.0.23-1.fc16.noarch
    19	pki-symkey-9.0.23-1.fc16.x86_64
    20	pki-util-9.0.23-1.fc16.noarch
    21	pki-util-javadoc-9.0.23-1.fc16.noarch

# pkicreate -pki_instance_root=/var/lib        \
            -pki_instance_name=pki-ca          \
            -subsystem_type=ca                 \
            -agent_secure_port=9443            \
            -ee_secure_port=9444               \
            -ee_secure_client_auth_port=9446   \
            -admin_secure_port=9445            \
            -unsecure_port=9180                \
            -tomcat_server_port=9701           \
            -user=pkiuser                      \
            -group=pkiuser                     \
            -redirect conf=/etc/pki-ca         \
            -redirect logs=/var/log/pki-ca     \
            -verbose

# pkisilent ConfigureCA                                                                                         \
      -cs_hostname "server.example.com"                                                                         \
      -cs_port 9445                                                                                             \
      -client_certdb_dir /tmp                                                                                   \
      -client_certdb_pwd XXXXXXXX                                                                               \
      -preop_pin HgI7JGfR4KGWIi1qFshi                                                                           \
      -domain_name "Security Domain"                                                                            \
      -admin_user admin                                                                                         \
      -admin_password XXXXXXXX                                                                                  \
      -admin_email "root@localhost"                                                                             \
      -agent_name "CA Administrator of Instance pki-ca\'s Security Domain ID"                                   \
      -agent_key_size 2048                                                                                      \
      -agent_key_type rsa                                                                                       \
      -agent_cert_subject "cn=CA Administrator of Instance pki-ca,uid=admin,e=root@localhost,o=Security Domain" \
      -ldap_host localhost                                                                                      \
      -ldap_port 389                                                                                            \
      -bind_dn "cn=Directory Manager"                                                                           \
      -bind_password XXXXXXXX                                                                                   \
      -base_dn "dc=server.example.com-pki-ca"                                                                   \
      -db_name "server.example.com-pki-ca"                                                                      \
      -key_size 2048                                                                                            \
      -key_type rsa                                                                                             \
      -key_algorithm SHA256withRSA                                                                              \
      -signing_algorithm SHA256withRSA                                                                          \
      -signing_signingalgorithm SHA256withRSA                                                                   \
      -ocsp_signing_signingalgorithm SHA256withRSA                                                              \
      -save_p12 true                                                                                            \
      -backup_pwd XXXXXXXX                                                                                      \
      -subsystem_name "Certificate Authority"                                                                   \
      -token_name internal                                                                                      \
      -token_pwd XXXXXXXX                                                                                       \
      -ca_sign_cert_subject_name "cn=Certificate Authority,o=Security Domain"                                   \
      -ca_subsystem_cert_subject_name "cn=CA Subsystem Certificate,o=Security Domain"                           \
      -ca_ocsp_cert_subject_name "cn=OCSP Signing Certificate,o=Security Domain"                                \
      -ca_server_cert_subject_name "cn=server.example.com,o=Security Domain"                                    \
      -ca_audit_signing_cert_subject_name "cn=CA Audit Signing Certificate,o=Security Domain"                   \
      -external false                                                                                           \
      -clone false

# /bin/systemctl restart pki-cad

# cd /tmp

# pk12util -o admin.p12 -n "CA Administrator of Instance pki-ca\'s Security Domain ID" -d .

# chmod 755 admin.p12

Create a new firefox profile for 'user' and import the Admin Certificate:

% cd ~/user/.mozilla/firefox/g8zpfo7q.f16

% cp /tmp/admin.p12 .

% pk12util -i admin.p12 -d .

Open the browser and select the new profile:

* https://server.example.com:9445/ca/services
  * Select "SSL End Users Services" and trust the connection
* https://server.example.com:9444/ca/ee/ca/
  * Select Retrieval Tab
    * Select "Import CA Certificate Chain"
      * Select "Import the CA certificate chain into your browser" radio button and press "Submit"
        * Check all three trust checkboxes and press "OK"
* https://server.example.com:9443/ca/agent/ca/
  * Accept the "CA Administrator of Instance pki-ca\'s Security Domain ID [06]" and press "OK"

Successfully enrolled and approved a certificate request.