1162173 – ipa-server-install: Cannot handle double hyphen "--" in hostname

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1162173 - ipa-server-install: Cannot handle double hyphen "--" in hostname

Summary: ipa-server-install: Cannot handle double hyphen "--" in hostname

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	7.3
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1160555
TreeView+	depends on / blocked

Reported:	2014-11-10 12:26 UTC by Martin Kosek
Modified:	2020-10-04 20:45 UTC (History)
CC List:	13 users (show)
Fixed In Version:	pki-core-10.3.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1160555
Environment:
Last Closed:	2016-11-04 05:18:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Workaround / temporary fix for bug 1162173 - more details see bug (1.51 MB, application/zip) 2014-11-18 22:17 UTC, becke-ch	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 1822	0	None	None	None	2020-10-04 20:45:40 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Martin Kosek 2014-11-10 12:26:30 UTC

+++ This bug was initially created as a clone of Bug #1160555 +++

Actually I encountered this problem with CentOS "7.0-1406" but because I could fix the faulty python script myself (easily) I thought to post the solution as well here.

When running:
~]# ipa-server-install
...
Server host name [becke-ch--directory--s0-v1.becke.ch]: becke-ch--directory--s0-v1.becke.ch
...
I get:
Invalid hostname 'becke-ch--directory--s0-v1.becke.ch', only letters, numbers, '-' are allowed. DNS label may not start or end with '-'

BUT when I enter:
Server host name [becke-ch--directory--s0-v1.becke.ch]: becke-ch-directory-s0-v1.becke.ch
Then it runs fine.

http://bugs.centos.org/view.php?id=7818

Name        : ipa-server
Arch        : x86_64
Version     : 3.3.3

SOLUTION:
---------
Replace regex repetition character "?" with "*": See:
]# diff util.py /usr/lib/python2.7/site-packages/ipalib/util.py
231c231
< label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \
---
> label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]*[%(base)s%(extra)s])*$' \

--- Additional comment from becke-ch on 2014-11-08 02:39:00 EST ---

After fixing this issue the installation failed later on due to this fix:
...
[2/22]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp72m3kU' returned non-zero exit status 1
Configuration of CA failed
...

Which was caused by: /var/log/pki/pki-tomcat/catalina.out
...
WARNING: Catalina.start using conf/server.xml: The string "--" is not permitted within comments.
Nov 07, 2014 10:12:05 PM org.apache.tomcat.util.digester.Digester fatalError
SEVERE: Parse Fatal Error at line 31 column 40: The string "--" is not permitted within comments.
org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 31; columnNumber: 40; The string "--" is not permitted within comments.
        at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
        at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
...

So there seems to be an issue with tomcat pki that it cannot handle double hyphens "--" in hostname!

--- Additional comment from Martin Kosek on 2014-11-10 07:25:21 EST ---

Thanks for investigation. Looks like pki bug is due - I will clone it.

Comment 2 becke-ch 2014-11-18 11:23:07 UTC

From my researches in the Internet and code I found out that this could potentially be fixed by fixing the "slot_substitution" for "server.xml" BUT:
a) I could not find the hook where the slot substitution for server.xml is invoked and
b) I'm not sure whether there is any semantic meaning having the host-name in the server.xml comments <!--...--> or whether it is (as it should be) just a comment.

Therefore I'm now going for a symptom fix (even I don't like it) i.e. patching: "org/apache/catalina/startup/Catalina.java" and "com/netscape/cmscore/apps/CMSEngine.java" to remove the double-hyphens "--" in the stream just before passing it to the XML-Reader.

Comment 3 becke-ch 2014-11-18 22:17:10 UTC

Created attachment 958788 [details]
Workaround / temporary fix for bug 1162173 - more details see bug

Comment 4 becke-ch 2014-11-18 22:19:16 UTC

Regarding the attachment and comment above:
As already announced I could not find a sustainable solution and therefore I've implemented now a workaround respective fixed the symptoms until a sustainable solution is provided (and the installation went fine).
Basically I've fixed the "org/apache/catalina/startup/Catalina.java" class to remove the double hyphens in the "server.xml" file and persist this change to disk for future.
In the attachment I've provided the "catalina.jar" which can be copied to "/usr/share/tomcat/lib/" to temporarily fix this issue.
The following changes have been made to "Catalina.java":

diff -r java/org/apache/catalina/startup/Catalina.java eclipse/apache-tomcat-7.0.56-src/src/org/apache/catalina/startup/Catalina.java
19a20,21
> import java.io.ByteArrayInputStream;
> import java.io.ByteArrayOutputStream;
21a24
> import java.io.FileOutputStream;
23a27
> import java.io.InputStreamReader;
24a29
> import java.io.OutputStreamWriter;
613c618,626
<             inputSource.setByteStream(inputStream);
---
> 			// TODO find sustainable fix for this workaround regarding:
> 			// https://bugzilla.redhat.com/show_bug.cgi?id=1162173
> 			// https://bugzilla.redhat.com/show_bug.cgi?id=1160555
> 			ByteArrayOutputStream baos = replaceDoubleHyphenInComment(
> 					inputStream, file);
> 			inputSource.setByteStream(new ByteArrayInputStream(baos
> 					.toByteArray()));
> 
> 			// inputSource.setByteStream(inputStream);
654a668,715
> 	private ByteArrayOutputStream replaceDoubleHyphenInComment(
> 			InputStream inputStream, File file) throws IOException {
> 		// TODO find sustainable fix for this workaround regarding:
> 		// https://bugzilla.redhat.com/show_bug.cgi?id=1162173
> 		// https://bugzilla.redhat.com/show_bug.cgi?id=1160555
> 		// Actually the correct fix would be not to have double hyphens
> 		// "--" in server.xml file but instead escaping it correctly.
> 		// But at this point in time trying a quick symptom fix
> 		// and removing the double hyphens before passing to SAX parser.
> 		char[] cbuf = new char[4096];
> 		StringBuffer sb = new StringBuffer();
> 		InputStreamReader isr = new InputStreamReader(inputStream);
> 		int isrReadLen;
> 		boolean modified = false;
> 		while ((isrReadLen = isr.read(cbuf)) == cbuf.length) {
> 			sb.append(cbuf);
> 		}
> 		if (isrReadLen > 0) {
> 			sb.append(cbuf, 0, isrReadLen);
> 		}
> 		isr.close();
> 		int commentStart = sb.indexOf("<!--", 0) + 4;
> 		int commentEnd = sb.indexOf("-->", commentStart);
> 		while (commentStart != 3) {
> 			if (sb.substring(commentStart, commentEnd).contains("--")) {
> 				modified = true;
> 				sb.replace(
> 						commentStart,
> 						commentEnd,
> 						sb.substring(commentStart, commentEnd).replaceAll("--",
> 								"**"));
> 			}
> 			commentStart = sb.indexOf("<!--", commentEnd + 3) + 4;
> 			commentEnd = sb.indexOf("-->", commentStart);
> 		}
> 		ByteArrayOutputStream baos = new ByteArrayOutputStream();
> 		OutputStreamWriter osw = new OutputStreamWriter(baos);
> 		osw.write((sb.toString().toCharArray()));
> 		osw.close();
> 
> 		if (modified && file != null) {
> 			FileOutputStream fos = new FileOutputStream(file);
> 			osw = new OutputStreamWriter(fos);
> 			osw.write((sb.toString().toCharArray()));
> 			osw.close();
> 		}
> 		return baos;
> 	}

Comment 5 Martin Kosek 2015-02-13 14:54:50 UTC

Is this fix available in upstream Dogtag? I see that reporter kindly provided patch already. We would like to test the fix in FreeIPA too.

Comment 6 Endi Sukma Dewata 2015-02-14 01:42:06 UTC

I've cloned this bug to Trac: https://fedorahosted.org/pki/ticket/1260

Per discussion with mharmsen the proper fix is to modify pkidaemon to obtain the info directly from the CS.cfg and then remove these lines from server.xml.

This bug is proposed to be fixed in Dogtag 10.3 timeframe. If it needs to be fixed sooner please mention that in the Trac ticket. Thanks.

Comment 8 Matthew Harmsen 2015-07-08 23:34:43 UTC

Associated with upstream PKI Ticket #1260 slated for Dogtag 10.3 (RHCS 9.1); propose moving to RHEL 7.3?

Comment 9 Matthew Harmsen 2015-07-10 02:46:14 UTC

(In reply to Matthew Harmsen from comment #8)
> Associated with upstream PKI Ticket #1260 slated for Dogtag 10.3 (RHCS 9.1);
> propose moving to RHEL 7.3?

Moving to RHEL 7.3.

Comment 11 Jan Pazdziora 2015-08-26 06:56:31 UTC

Shouldn't this bugzilla be on tomcat component?

Comment 12 Matthew Harmsen 2015-08-31 22:58:49 UTC

(In reply to Jan Pazdziora from comment #11)
> Shouldn't this bugzilla be on tomcat component?

Actually, no -- the reason that this problem is occurring is because we are obtaining this information out of commented lines in 'server.xml' (and XML uses the nasty "--" in their comment style). See https://fedorahosted.org/pki/ticket/1260 for details.

We are currently slated to fix this in 10.3 (so hopefully RHEL 7.3).

Comment 14 Matthew Harmsen 2016-01-07 00:49:38 UTC

Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority low

Comment 15 Matthew Harmsen 2016-04-15 21:41:18 UTC

ftweedal pushed to master:
* 8beb5cfa4cd81fbf47ea8cd6839b793c2a12284e

Comment 17 Roshni 2016-09-02 15:53:15 UTC

[root@nightcrawler ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 8.el7
Architecture: noarch
Install Date: Wed 31 Aug 2016 03:15:38 PM EDT
Group       : System Environment/Daemons
Size        : 2430595
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-8.el7.src.rpm
Build Date  : Tue 30 Aug 2016 03:23:27 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Did not see pkispawn CA failure when the hostname had "--" in it.

Comment 19 errata-xmlrpc 2016-11-04 05:18:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Comment 20 becke-ch 2017-01-07 10:05:40 UTC

Hi,
I just wanted to inform you that the fix is still not working.
I just did a fresh install "yum install ipa-server bind bind-dyndb-ldap" and got the following packages (which are the correct packages and versions according to: "https://rhn.redhat.com/errata/RHBA-2016-2396.html"):
...
    Dep-Install pki-base-10.3.3-14.el7_3.noarch                                  @updates
    Dep-Install pki-base-java-10.3.3-14.el7_3.noarch                             @updates
    Dep-Install pki-ca-10.3.3-14.el7_3.noarch                                    @updates
    Dep-Install pki-kra-10.3.3-14.el7_3.noarch                                   @updates
    Dep-Install pki-server-10.3.3-14.el7_3.noarch                                @updates
    Dep-Install pki-tools-10.3.3-14.el7_3.x86_64                                 @updates
    Dep-Install policycoreutils-python-2.5-9.el7.x86_64                          @updates
...

And during "ipa-server-install --no-ntp --idstart=5000 --idmax=9999" at the very beginning I got the following ERROR:
...
Server host name [directory--s0-v1.becke.ch]: 

ipa.ipapython.install.cli.install_tool(Server): ERROR    Invalid hostname 'directory--s0-v1.becke.ch', only letters, numbers, '-' are allowed. DNS label may not start or end with '-'

ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
...

And when looking in: /var/log/ipaserver-install.log
...
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 267, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 460, in install_check
    sys.exit(str(e) + "\n")

2017-01-07T09:39:05Z DEBUG The ipa-server-install command failed, exception: SystemExit: Invalid hostname 'directory--s0-v1.becke.ch', only letters, numbers, '-' are allowed. DNS label may not start or end with '-'

2017-01-07T09:39:05Z ERROR Invalid hostname 'directory--s0-v1.becke.ch', only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
...

Kind Regards
Raoul

Comment 21 Endi Sukma Dewata 2017-01-08 00:32:24 UTC

That error message seems to be generated by IPA. Could you try editing the util.py as described in the original bug description?

Comment 22 Martin Bašti 2017-01-09 09:10:46 UTC

The IPA part of the bug: https://bugzilla.redhat.com/show_bug.cgi?id=1160555

It is fixed upstream, it will be in RHEL 7.4

Comment 23 becke-ch 2017-01-11 15:54:03 UTC

Yes this is correct I could quickly fix it myself as described above:

Replace regex repetition character "?" with "*": See:
]# diff util.py /usr/lib/python2.7/site-packages/ipalib/util.py
231c231
< label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \
---
> label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]*[%(base)s%(extra)s])*$' \

Note You need to log in before you can comment on or make changes to this bug.