RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1318186 - Misleading error message during external-ca IPA master install
Summary: Misleading error message during external-ca IPA master install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Mohammad Rizwan
URL:
Whiteboard:
: 1340096 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-16 08:59 UTC by Kaleem
Modified: 2017-08-01 09:37 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
console logs (5.17 KB, text/plain)
2017-06-08 06:13 UTC, Mohammad Rizwan 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1331443 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 1344810 0 unspecified CLOSED Certificate not importing PKI-Tomcat ipa-server-install 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Internal Links: 1331443 1344810

Description Kaleem 2016-03-16 08:59:43 UTC 
Description of problem:
During second attempt of IPA external-ca install after first successful attempt, following error message shown which is misleading.


ipa.ipapython.install.cli.install_tool(Server): ERROR    Failed to load /root/ipa-ca/ipa.crt

Honza helped me to figured out the cause for this.

Here, uninstallation of IPA external-ca was not removing the certs from /etc/httpd/alias which is already reported in https://fedorahosted.org/freeipa/ticket/4639. 

But instead of error message "Failed to load /root/ipa-ca/ipa.crt
", we expect error message like

 "(SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert"

Also warning message is not logged in ipaserver-install.log .

Version-Release number of selected component (if applicable):
[root@auto-hv-01-guest02 ~]# rpm -q ipa-server 
ipa-server-4.2.0-15.el7_2.10.x86_64
[root@auto-hv-01-guest02 ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Installl IPA with external-ca
2. Uninstall IPA 
3. Install IPA with external-ca again

Actual results:
Installation of IPA fails in second attempt

Expected results:
Installation of IPA should be successful in second attempt also

Additional info:
1. After removing the certs from /etc/httpd/alias, able to install IPA successfully.
Comment 2 Petr Vobornik 2016-03-24 19:26:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4639
Comment 3 Martin Bašti 2016-05-26 14:00:41 UTC 
*** Bug 1340096 has been marked as a duplicate of this bug. ***
Comment 4 Abhijeet Kasurde 2017-02-03 09:47:53 UTC 
I have encountered same error message in RHEL 7.3. Any plan of fixing this ?
Comment 5 Martin Babinsky 2017-03-22 14:00:15 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/cf188c8513c6b36a0724866025ddc220683de8dc
https://pagure.io/freeipa/c/f788e3e36bcaefc7d94c92895916246681e64291
master:
https://pagure.io/freeipa/c/bbd18cf10f2e67e5205a3a3bee883272e89c0042
https://pagure.io/freeipa/c/e263cb46cba604421d5ed2e1dbf5dd1d66ce0221
Comment 7 Jan Cholasta 2017-04-04 08:23:09 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/5f5a3b29dba7cc736ba334aefb55484baeefeb76
ipa-4-5:
https://pagure.io/freeipa/c/471dfcbe1cc3f319da788add3661cb6d63e3c0f0
Comment 12 Mohammad Rizwan 2017-06-08 06:13:59 UTC 
Created attachment 1285980 [details]
console logs
Comment 13 Mohammad Rizwan 2017-06-08 06:14:41 UTC 
verified on ipa-server-4.5.0-15.el7.x86_64 too.

Installation logs are attached.
Comment 14 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.