Bug 826973
| Summary: | ipa-server-install does not fill the default value for --subject option and it crashes later. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> | |
| Component: | ipa | Assignee: | Martin Prpič <mprpic> | |
| Status: | CLOSED NEXTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.3 | CC: | dpal, jgalipea, mkosek | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 827321 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-01 06:39:23 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 827321 | |||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2794
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
Consequence: Second stage of the installation always fails unless --subject option is filled.
Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
Result: Certificate subject validation procedure succeeds and the installation continues.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,4 +1 @@
-Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
+When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.-Consequence: Second stage of the installation always fails unless --subject option is filled.
-Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
-Result: Certificate subject validation procedure succeeds and the installation continues.
|
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM -P Secret123 Actual results: [root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM The log file for this installation can be found in /var/log/ipaserver-install.log Unexpected error - see ipaserver-install.log for details: must be str,unicode,tuple, or RDN, got NoneType instead [root@qe-blade-06 ipa-external-ca]# Expected results: Installation should be successful. Additional info: #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# 2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-05-31T09:36:04Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 30, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': '/root/ipa-ca/ipacacert.asc', 'no_host_dns': False, 'http_pkcs12': None, 'forwarders': None, 'idstart': 1463800000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': '/root/ipa-ca/ipa.crt', 'uninstall': False} 2012-05-31T09:36:04Z DEBUG missing options might be asked for interactively later 2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2012-05-31T09:36:04Z DEBUG must be str,unicode,tuple, or RDN, got NoneType instead File "/usr/sbin/ipa-server-install", line 1091, in <module> rval = main() File "/usr/sbin/ipa-server-install", line 607, in main wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject)) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1064, in __init__ self.rdns = self._rdns_from_sequence(args) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1106, in _rdns_from_sequence rdn = self._rdn_from_value(item) File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1100, in _rdn_from_value value.__class__.__name__) 2012-05-31T09:36:04Z DEBUG Restoring system configuration file '/etc/hosts' #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# Work-around is to pass --subject "O=TESTRELM.COM" to command in step 1. [root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM --subject "O=TESTRELM.COM" The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Warning: Hostname (qe-blade-06.testrelm.com) not found in DNS The domain name has been calculated based on the host name. The IPA Master Server will be configured with: ... #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#