RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1159086 - RHEL7.1 ipa-server-install with external-cert-file from ADCS fails
Summary: RHEL7.1 ipa-server-install with external-cert-file from ADCS fails
Keywords:
Status: CLOSED DUPLICATE of bug 1151147
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-30 22:39 UTC by Scott Poore
Modified: 2014-10-31 17:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-31 17:48:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ipaserver-install.log (36.63 KB, text/plain)
2014-10-30 22:40 UTC, Scott Poore 		no flags Details
View All

Description Scott Poore 2014-10-30 22:39:37 UTC 
Description of problem:

I'm trying to use the Microsoft Active Directory Certificate Service on a 2008r2 server to sign the certificate request.  I'm having a problem with the install.

It's failing at or after the RA request:

  [20/27]: requesting RA certificate from CA
  [error] IndexError: list index out of range
Unexpected error - see /var/log/ipaserver-install.log for details:
IndexError: list index out of range



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Setup 2008r2 ADCS server.

2.  ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-ca

3.  copy ipa.csr to ADCS server and sign via web site.  Also, Download CA Cert chain from ADCS.

4.  Copy ipa.cer and adcs CA cert chain back to IPA server.

5.  ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -ncret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs1_chain.p7b 

# this fails.  I'm assuming the p7b format the ADCS returned for the chain is not supported.  If it is, can open different bug for that.  So, I import it to an NSSDB I can then export into a format I thought would work.

6.  mkdir testnssdb

7. cd testnssdb/

8. certutil -N -d .

9. certutil -A -d . -i /root/adcs1_chain.p7b -n adcs1 -t TCu,TCu,TCu

10. certutil -L -d . -n adcs1 -a > adcs1.asc

11. ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel7-1.example.com --ip-address=192.168.122.71 -n example.com -r EXAMPLE.COM -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/testnssdb/adcs1.asc 

Actual results:

  [20/27]: requesting RA certificate from CA
  [error] IndexError: list index out of range
Unexpected error - see /var/log/ipaserver-install.log for details:
IndexError: list index out of range

Snippet from Log:

Generating key.  This may take a few moments...


2014-10-30T21:58:25Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1147, in __request_ra_certificate
    self.requestId = item_node[0].childNodes[0].data
IndexError: list index out of range

2014-10-30T21:58:25Z DEBUG   [error] IndexError: list index out of range
2014-10-30T21:58:25Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1170, in main
    ca_signing_algorithm=options.ca_signing_algorithm)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 518, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1147, in __request_ra_certificate
    self.requestId = item_node[0].childNodes[0].data

2014-10-30T21:58:25Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range


Expected results:

Installs IPA cleanly with no errors.

Additional info:
Comment 1 Scott Poore 2014-10-30 22:40:51 UTC 
Created attachment 952361 [details]
ipaserver-install.log
Comment 3 Rob Crittenden 2014-10-31 01:48:23 UTC 
I think this is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1129558

To install FreeIPA with MS external CA, use command line switch --external-ca-type=ms-cs
Comment 4 Martin Kosek 2014-10-31 07:36:10 UTC 
--external-ca-type=ms-cs switch will only make sure that MS CS accepts the IPA subCA request in the GUI, without having to do magic in the PowerShell terminal.

I wonder what pki-ca version did you use, there is a very related bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1151147
Comment 5 Scott Poore 2014-10-31 16:45:11 UTC 
That may be at least part of my problem.  When I tested with the fixed version of pki, it definitely gets farther but, now I'm seeing timeouts.  I've seen this now with a couple attempted re-installs and one fresh install.

  [20/27]: requesting RA certificate from CA
  [21/27]: issuing RA agent certificate
  [22/27]: adding RA agent as a trusted user
  [23/27]: configure certmonger for renewals
  [24/27]: configure certificate renewals
  [25/27]: configure RA certificate renewal
  [26/27]: configure Server-Cert certificate renewal
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
CA did not start in 300.0s

Any thoughts on that?
Comment 6 Petr Vobornik 2014-10-31 16:58:49 UTC 
(In reply to Scott Poore from comment #5)

I think you see bug 1155654
Comment 7 Scott Poore 2014-10-31 17:48:17 UTC 
Petr, Yes, I think you're right.   Thanks for the info.

So, I'm closing this as a duplicate of bug 1151147.  The latter issue I'll track in that bug. 

Thanks guys.

*** This bug has been marked as a duplicate of bug 1151147 ***
Note You need to log in before you can comment on or make changes to this bug.