Bug 1318186 - Misleading error message during external-ca IPA master install
Summary: Misleading error message during external-ca IPA master install
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Mohammad Rizwan
: 1340096 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2016-03-16 08:59 UTC by Kaleem
Modified: 2017-08-01 09:37 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
console logs (5.17 KB, text/plain)
2017-06-08 06:13 UTC, Mohammad Rizwan
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1331443 None None None Never
Red Hat Bugzilla 1344810 None None None Never
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Internal Links: 1331443 1344810

Description Kaleem 2016-03-16 08:59:43 UTC
Description of problem:
During second attempt of IPA external-ca install after first successful attempt, following error message shown which is misleading.

ipa.ipapython.install.cli.install_tool(Server): ERROR    Failed to load /root/ipa-ca/ipa.crt

Honza helped me to figured out the cause for this.

Here, uninstallation of IPA external-ca was not removing the certs from /etc/httpd/alias which is already reported in https://fedorahosted.org/freeipa/ticket/4639. 

But instead of error message "Failed to load /root/ipa-ca/ipa.crt
", we expect error message like

 "(SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert"

Also warning message is not logged in ipaserver-install.log .

Version-Release number of selected component (if applicable):
[root@auto-hv-01-guest02 ~]# rpm -q ipa-server 
[root@auto-hv-01-guest02 ~]# 

How reproducible:

Steps to Reproduce:
1. Installl IPA with external-ca
2. Uninstall IPA 
3. Install IPA with external-ca again

Actual results:
Installation of IPA fails in second attempt

Expected results:
Installation of IPA should be successful in second attempt also

Additional info:
1. After removing the certs from /etc/httpd/alias, able to install IPA successfully.

Comment 2 Petr Vobornik 2016-03-24 19:26:20 UTC
Upstream ticket:

Comment 3 Martin Bašti 2016-05-26 14:00:41 UTC
*** Bug 1340096 has been marked as a duplicate of this bug. ***

Comment 4 Abhijeet Kasurde 2017-02-03 09:47:53 UTC
I have encountered same error message in RHEL 7.3. Any plan of fixing this ?

Comment 12 Mohammad Rizwan 2017-06-08 06:13:59 UTC
Created attachment 1285980 [details]
console logs

Comment 13 Mohammad Rizwan 2017-06-08 06:14:41 UTC
verified on ipa-server-4.5.0-15.el7.x86_64 too.

Installation logs are attached.

Comment 14 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.