Bug 953485
| Summary: | ipa-server-install crashes due to certutil certificate add error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Niranjan Mallapadi Raghavender <mniranja> | ||||
| Component: | freeipa | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 19 | CC: | abokovoy, alee, awnuk, dennis, dspurek, kwright, mharmsen, mkosek, rcritten, spoore, ssorce | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | freeipa-3.2.0-2.fc19 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-05-24 20:41:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 872761 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
I have same problem, same components versions. I install with command: ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname server.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmpm6gYDB' returned non-zero exit status 255 This issue is caused by Bug 872761. This is not dogtag issue, moving to freeipa for tracking purposes. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3586 Note that setting up an external CA is not necessary to duplicate this bug. Installing IPA with a CA is enough. Fixed in upstream NSS in: nss-3.14.3-2.fc18 nss-3.14.3-12.0.fc19 We just need to set our deps right. master: 732d1042a35c7db64c4ce1980e938666c65671ea freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19 no longer seeing CA related issues with installs: Made it all the way through with no errors: Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback). freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 737273 [details] ipaserver-install.log Description of problem: ipa-server-install fails with external ca Version-Release number of selected component (if applicable): freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 pki-ca-10.0.1-2.1.fc19.noarch How reproducible: Steps to Reproduce: 1. ipa-server-install --setup-dns --external-ca 2.ipa-server-install --external_cert_file=/root/sign-ipa.crt --external_ca_file=/root/ad-ca.crt Actual results: Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmphU1n_0' returned non-zero exit status 255 Expected results: ipa-server-installation should succeed Additional info: