Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1114127

Summary: RHEL6.5 ipa-server-install fails configuring certificate server instance
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: Aaron.Boudreaux, abokovoy, alee, dpal, jpazdziora, rcritten
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-29 13:21:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2014-06-27 20:14:04 UTC 
Description of problem:

I'm seeing ipa-server-install failures configuring the CA.  

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-gTN63u -client_certdb_pwd XXXXXXXX -preop_pin 8IhRgvChTfGUEzvFqteh -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit status 255
Configuration of CA failed

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-39.el6.x86_64
pki-ca-9.0.3-32.el6.noarch


How reproducible:
Unknown.

Steps to Reproduce:
1. ipa-server-install -r <REALM> -p Secret123 -a Secret123 -U

Actual results:

Failure listed above.

Expected results:

No failure and IPA installs cleanly.

Additional info:

Problem is we cannot reproduce this outside on an automated environment that generates and builds the VM it's failing on.  If the VM is manually created (from the same image) it's not failing.  I do not know the host systems in the two cases.

ipaserver-install.log:

2014-06-27T19:42:10Z DEBUG Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
2014-06-27T19:42:10Z DEBUG   [1/21]: creating certificate server user
2014-06-27T19:42:10Z DEBUG ca user pkiuser exists
2014-06-27T19:42:10Z DEBUG   duration: 0 seconds
2014-06-27T19:42:10Z DEBUG   [2/21]: creating pki-ca instance
2014-06-27T19:43:59Z DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy
2014-06-27T19:43:59Z DEBUG stdout=PKI instance creation Utility ...

Capturing installation information in /var/log/pki-ca-install.log

PKI instance creation completed ...

Installation information recorded in /var/log/pki-ca-install.log.
Before proceeding with the configuration, make sure 
the firewall settings of this machine permit proper 
access to this subsystem. 

Please start the configuration by accessing:

https://pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445/ca/admin/console/config/login?pin=pVNJx5tI2e9laIPwyV8w

After configuration, the server can be operated by the command:

    /sbin/service pki-cad restart pki-ca


2014-06-27T19:43:59Z DEBUG stderr=
2014-06-27T19:43:59Z DEBUG   duration: 109 seconds
2014-06-27T19:43:59Z DEBUG   [3/21]: configuring certificate server instance
2014-06-27T19:44:00Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX -preop_pin pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false
2014-06-27T19:44:00Z DEBUG stdout=libpath=/usr/lib64
#######################################################################
CRYPTO INIT WITH CERTDB:/tmp/tmp-TpgvUw
tokenpwd:XXXXXXXX
#############################################
Attempting to connect to: pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA
#######################################################################

2014-06-27T19:44:00Z DEBUG stderr=Exception: Unable to Send Request:java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5991) I/O function error. --> java.net.SocketException: Connection reset
java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5991) I/O function error. --> java.net.SocketException: Connection reset
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at org.mozilla.jss.ssl.SocketBase.processExceptions(SocketBase.java:401)
        at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
        at HTTPClient.sslConnect(HTTPClient.java:331)
        at ConfigureCA.LoginPanel(ConfigureCA.java:244)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
        at ConfigureCA.main(ConfigureCA.java:1672)
java.lang.NullPointerException
        at ConfigureCA.LoginPanel(ConfigureCA.java:245)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
        at ConfigureCA.main(ConfigureCA.java:1672)

2014-06-27T19:44:00Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445 -client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX -preop_pin pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM -ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit status 255
2014-06-27T19:44:00Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 942, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

2014-06-27T19:44:00Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
Comment 1 Scott Poore 2014-06-27 20:16:37 UTC 
Note, I got come help from dogtag guys troubleshooting this.  Ade noticed that there wasn't a service check between 2/21 pkicreate and 3/21 pkisilent.  A check to make sure the service is up and functioning may help here?
Comment 2 Scott Poore 2014-06-27 20:19:11 UTC 
FYI, I did attempt a workaround like from bug#905064#c16:

[root@pit1 install]# cat /usr/bin/pkicreate
#!/bin/sh
/usr/bin/pkicreate.real "$@"
RET=$?
sleep 100
exit $RET

[root@pit1 install]# ls -l /usr/bin/pkicreate.real 
-rwxr-xr-x. 1 root root 150749 Sep  3  2013 /usr/bin/pkicreate.real

[root@pit1 install]# 

It paused for the 100 seconds as you can see from the time but, it still failed.  So, I'm not sure if there is a usable workaround here.

Thoughts?
Comment 4 Martin Kosek 2014-06-30 08:26:29 UTC 
Ok, it looks like Bug 1112581 was really not caused by an interim package error. Ade, please help us with investigation, it looks like the problem is not in a wait for pkicreate (Comment 1).
Comment 5 Ade Lee 2014-06-30 15:24:28 UTC 
The problem here is the length of the hostname.  When we run pkicreate, we create a temporary cert in the certificate database to get SSL kickstarted.  I looked on the system and noticed that the cert had not been generated (and therefore SSL connections failed).

The command used to create the cert is something like the following:

root@pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1 ~]# certutil -S -d /tmp/foo -h 'internal' -m 0 -v 12 -x -s 'CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=2014-06-30 10:24:33' -c 'CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=2014-06-30 10:24:33' -t 'CTu,CTu,CTu' ...

which results in:

certutil -s: improperly formatted name: "CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal,O=2014-06-30 10:24:33"

The reason for this is that the CN exceeds 64 characters.  According to RFC 5280, the CN cannot exceed 64 characters -->

In Appendix A:

-- Upper Bounds
ub-common-name INTEGER ::= 64

Therefore, this is not a bug in Dogtag.
Comment 6 Scott Poore 2014-06-30 15:30:53 UTC 
I also found that this is a limit for hostname max length:

[root@pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1 sysconfig]# getconf HOST_NAME_MAX
64

Since this is a known limit we're hitting for the CN for the cert, as well as a limit for hostname max length.  So, I'm closing this one out as NOTABUG.
Comment 7 Martin Kosek 2014-06-30 15:33:05 UTC 
Would it make sense FreeIPA to check the hostname before the server/replica installer is run? This would require just one extra check to hostname validator. It may be beneficial, given how difficult it was to investigate the root cause.
Comment 8 Scott Poore 2014-06-30 15:48:38 UTC 
Maybe.  You're right.  It would have helped here.  So, reopening so installer can be updated to check hostname length.

Thanks
Comment 9 Alexander Bokovoy 2014-06-30 15:49:31 UTC 
Note that while CN is limited to 64 characters, it is not a host name but full FQDN that is passed there. In this particular case hostname is 54 character long but FQDN is 65 characters long, thus it fails.

So a check would need to take FQDN and ensure that it is less than 64 characters. Now, this will be a sizable limitation as DNS entries can have 64 character *per label*, not per whole FQDN.
Comment 10 Alexander Bokovoy 2014-06-30 16:21:17 UTC 
I think we may be using RFC5280 wrongly here. It states (and RFC 6818 which is an update to RFC 5280 doesn't change this dramatically):
4.1.2.4
[..] In addition, implementations of this specification MUST be prepared
to receive the domainComponent attribute, as defined in [RFC4519].
The Domain Name System (DNS) provides a hierarchical resource
labeling system. This attribute provides a convenient mechanism for
organizations that wish to use DNs that parallel their DNS names.

I think we should be packing FQDN into domainComponent attribute and use just a host name part for CN.
Comment 11 Dmitri Pal 2014-07-01 12:59:07 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4415
Comment 12 Alexander Bokovoy 2014-07-01 13:26:55 UTC 
Looking at nss code, I can see that with the help of bug https://bugzilla.mozilla.org/show_bug.cgi?id=970539 there is a change in upstream libnss to allow CN attribute value to be up to 640 bytes instead of 64. The code otherwise doesn't put any limitation on the CN value.
Comment 13 Martin Kosek 2016-01-29 13:21:00 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Comment 14 Aaron.Boudreaux 2020-06-22 17:37:40 UTC 
We have just run into this issue also. Our short hostname is only 16 characters, but our fully qualified domain name (fqdn) is over the 64 characters. Our fqdn is a valid dns name (both bind dns and rhel 7 gladly accept this fqdn) and the specification also appears to confirm that the fqdn can be over 64 characters (https://stackoverflow.com/questions/32290167/what-is-the-maximum-length-of-a-dns-name https://www.ietf.org/rfc/rfc1035.txt). Debugging the problem was time consuming since the ipa-client-install does not explicitly check for the fqdn length and the error a very low level exception. I request that this issue be reopened for a future release of rhel since not allowing an fqdn longer 64 characters is not the correct behavior.
Comment 15 Rob Crittenden 2020-06-22 17:46:45 UTC 
This was addressed upstream in ticket https://pagure.io/freeipa/issue/2018 in IPA 4.8.0+. The default FQDN length is 64 characters.
Comment 16 Aaron.Boudreaux 2020-06-22 17:55:13 UTC 
Rob,
From the description https://pagure.io/freeipa/issue/2018 does not sound like it solves the problem. That sounds like it is still addressing the max length of the short hostname (i.e a single segment of the dns domain). Our short hostname is only 16 characters so checking the max length of that will still succeeded. However the ipa-client-install fails if the fqdn is longer than 64 characters. Does the resolution to that issue also fix the ipa-client-install to correctly allow fqdn up to 253 characters?
Comment 17 Aaron.Boudreaux 2020-06-22 17:58:34 UTC 
I read the description of this issue too quickly. It is referring to ipa-server-install not ipa-client-install. Perhaps I should open a new issue unless this is already resolved in a newer version of redhat idm / freeipa? We are currently using rhel 7.5 with redhat idm 4.5.4.
Comment 18 Rob Crittenden 2020-06-22 18:05:12 UTC 
It applies to all hosts created in IPA using the API.

It is resolved in RHEL 8.
Comment 19 Aaron.Boudreaux 2020-06-22 18:14:25 UTC 
Great! Thanks for the info Rob!