Bug 788084

Summary: ipa-ca-install fails when --no-host-dns option is provided.
Product: Red Hat Enterprise Linux 7 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED WORKSFORME QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jgalipea, ksiddiqu, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-31 10:28:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ipareplica-ca-install.log none

Description Gowrishankar Rajaiyan 2012-02-07 12:39:59 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-101.20120205T0931zgit55cd9e7.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install ipa server
2. Create replica file
3. Install ipa replica 
4. Make sure lookup fails for slave (Remove all DNS records of slave from master/ Point the slave to another DNS which does not lookup.)
5. Install ipa ca on slave with --no-host-dns option
  
Actual results:
ipa-ca-install fails

[root@skyfire ~]# ipa-ca-install -p Secret123 -w Secret123 --skip-conncheck --unattended --no-host-dns /var/lib/ipa/replica-info-skyfire.lab.eng.pnq.redhat.com.gpg 
Warning: skipping DNS resolution of host skyfire.lab.eng.pnq.redhat.com
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/11]: creating certificate server user
  [2/11]: creating pki-ca instance
  [3/11]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'skyfire.lab.eng.pnq.redhat.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-XjrHAu' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'jl79lmqfIychyBVPZXQX' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=LAB.ENG.PNQ.REDHAT.COM' '-ldap_host' 'skyfire.lab.eng.pnq.redhat.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=LAB.ENG.PNQ.REDHAT.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=LAB.ENG.PNQ.REDHAT.COM' '-ca_server_cert_subject_name' 'CN=skyfire.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=LAB.ENG.PNQ.REDHAT.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' XXXXXXXX '-sd_hostname' 'zetaprime.lab.eng.pnq.redhat.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 'https://zetaprime.lab.eng.pnq.redhat.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@skyfire ~]# 

Expected results:
ipa-ca-install should succeed with --no-host-dns option even if there is no resolution of hostname.

Additional info:
Comment 1 Gowrishankar Rajaiyan 2012-02-07 12:41:16 UTC 
Created attachment 559926 [details]
ipareplica-ca-install.log
Comment 3 Rob Crittenden 2012-02-07 13:34:24 UTC 
This implication here is that this works without --no-host-dns?

This option just skips the DNS lookup. If the host name is not resolvable it will never be installable. Is the host in /etc/hosts at least?

I assume you're using --skip-conncheck because that would otherwise catch the problem?
Comment 4 Gowrishankar Rajaiyan 2012-02-08 07:21:13 UTC 
(In reply to comment #3)
> This implication here is that this works without --no-host-dns?
> 

This fails with or without --no-host-dns option, but expected to pass when --no-host-dns option is provided.


> This option just skips the DNS lookup. If the host name is not resolvable it
> will never be installable. Is the host in /etc/hosts at least?
> 

Yes, the host exists in /etc/hosts.
[root@skyfire ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.65.201.232	skyfire.lab.eng.pnq.redhat.com	skyfire
[root@skyfire ~]# 


> I assume you're using --skip-conncheck because that would otherwise catch the
> problem?

Yes, --skip-conncheck catches the problem, however, the test case was to test --no-host-dns option explicitly.
Comment 5 Dmitri Pal 2012-02-08 20:18:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2360
Comment 10 Kaleem 2013-05-31 10:28:26 UTC 
Not reproducible on Fedora-18, so closing this.

IPA Version:
============
freeipa-server-3.2.99-0.20130531T0826Zgit34ba1b7.fc18.x86_64
:: [05:38:53] ::  freeipa-server package is installed

Extract from automation log:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Installing CA Replica with --no-host-dns option
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'mv /etc/hosts /var/tmp/'
Redirecting to /bin/systemctl stop  named.service
:: [   PASS   ] :: Stopping named service
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

:: [   PASS   ] :: Running 'nslookup sun-v20z-01.testrelm.com'
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

:: [   PASS   ] :: Running 'nslookup hp-bl260cg5-01.testrelm.com'
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
10.16.64.65		sun-v20z-01.testrelm.com
10.16.64.42		hp-bl260cg5-01.testrelm.com
:: [   PASS   ] :: Running 'cat /etc/hosts'
:: [05:47:48] ::  Executing: ipa-ca-install -p Secret123 -w Secret123 --skip-conncheck --unattended --no-host-dns /opt/rhqa_ipa/replica-info-hp-bl260cg5-01.testrelm.com.gpg
:: [05:47:48] ::  Verifying bug https://bugzilla.redhat.com/show_bug.cgi?id=757681
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [05:47:50] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Testing kinit as admin
Warning: skipping DNS resolution of host hp-bl260cg5-01.testrelm.com
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: configuring certificate server instance
  [3/16]: disabling nonces
  [4/16]: importing CA chain to RA certificate database
  [5/16]: fixing RA database permissions
  [6/16]: setting up signing cert profile
  [7/16]: set up CRL publishing
  [8/16]: set certificate subject base
  [9/16]: enabling Subject Key Identifier
  [10/16]: enabling CRL and OCSP extensions for certificates
  [11/16]: setting audit signing renewal to 2 years
  [12/16]: configuring certificate server to start on boot
  [13/16]: configure certmonger for renewals
  [14/16]: configure clone certificate renewals
  [15/16]: configure Server-Cert certificate renewal
  [16/16]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Restarting the directory and certificate servers
:: [   PASS   ] :: CA Replica installation with --no-host-dns