RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1318903 - ipa server install failing when SUBCA signs the cert
Summary: ipa server install failing when SUBCA signs the cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-18 05:43 UTC by Geetika Kapoor
Modified: 2016-11-04 05:52 UTC (History)
5 users (show)

Fixed In Version: ipa-4.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:52:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Ipa.log (14.49 KB, text/plain)
2016-04-04 09:35 UTC, Geetika Kapoor
no flags Details
correct_ipa.log (20.13 KB, text/plain)
2016-04-04 11:58 UTC, Geetika Kapoor
no flags Details
certificates.txt (4.03 KB, text/plain)
2016-04-11 06:28 UTC, Geetika Kapoor
no flags Details
ipa_11april.log (2.57 MB, text/plain)
2016-04-11 06:30 UTC, Geetika Kapoor
no flags Details
uninstall_log_april11_install (42.96 KB, text/plain)
2016-04-14 11:11 UTC, Geetika Kapoor
no flags Details
console.log (18.00 KB, text/plain)
2016-09-20 11:35 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Geetika Kapoor 2016-03-18 05:43:20 UTC
Description of problem:

Ipa doesn't work with subCA signed certificates while doing external signing.
ipa server install failing when SUBCA signs the cert.
When external CA is tested with IPA and we have CA certificate chain(example like in subca) in that case it fails

Version-Release number of selected component (if applicable):

RHEL 7.2 

How reproducible:

always 
Steps to Reproduce:
1. configure ipa-server-install --external-ca.
use the csr request and generate a signed cert.  ==> Works as expected
2./usr/sbin/ipa-server-install --external-cert-file=/root/file3 --external-cert-file=/root/file2 -vv  



Actual results:

When we provide chain of certificate which has 2-3 certificates as it is a subCA then it doesn't work as expected.
Expected results:
It should be able to detech certificate chain

Additional info:

<log stack>
2016-03-16T09:08:12Z DEBUG stderr=
2016-03-16T09:08:12Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure
    validator.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install

    install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 603, in install_check
    ca.install_check(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in install_check
    options.external_cert_files, options.subject)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1028, in load_external_cert
    (", ".join(files)))

2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception: ScriptError: CA certificate chain in cert, chain is incomplete
2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete

Comment 2 Petr Vobornik 2016-03-22 11:39:06 UTC
Honza, could you investigate?

Geetika, the error says "CA certificate chain in cert, chain is incomplete" are you sure that the provided certs are indeed correct and contains the required chain.

Comment 3 Jan Cholasta 2016-03-24 10:34:20 UTC
Geetika, could you please attach /var/log/ipaserver-install.log? The output you provided does not contain enough information to debug the issue.

Comment 4 Geetika Kapoor 2016-03-28 05:24:39 UTC
I have used a subCA certificate and the component used here used as CA is "dogtag"(RHCS). Since it is a subCA it has more than 1 certificate in CA certificate chain.

Here is the log stack:


<log stack>
2016-03-16T09:08:12Z DEBUG stderr=
2016-03-16T09:08:12Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure
    validator.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install

    install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 603, in install_check
    ca.install_check(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in install_check
    options.external_cert_files, options.subject)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1028, in load_external_cert
    (", ".join(files)))

2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception: ScriptError: CA certificate chain in cert, chain is incomplete
2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete

Comment 5 Jan Cholasta 2016-04-04 05:40:39 UTC
This is the same snippet as in the bug description. I'm going to need the full log, otherwise I can only assume that the error message is right and you are not providing the full CA certificate chain. External CA install with more than 1 CA certificate in the chain works fine for me.

Comment 6 Geetika Kapoor 2016-04-04 05:44:51 UTC
Sure i'll provide it today.Thanks

Comment 7 Geetika Kapoor 2016-04-04 09:35:18 UTC
Created attachment 1143275 [details]
Ipa.log

Ipa server logs are attached

Comment 8 Jan Cholasta 2016-04-04 11:37:52 UTC
This is apparently not the correct log, it fails with different error:

2016-04-04T09:28:58Z DEBUG The ipa-server-install command failed, exception: ScriptError: Failed to load /root/file4
2016-04-04T09:28:58Z ERROR Failed to load /root/file4

Comment 9 Geetika Kapoor 2016-04-04 11:39:55 UTC
yeah I have pasted a different server cert.I'll correct that.
Thanks

Comment 10 Geetika Kapoor 2016-04-04 11:40:47 UTC
I'll share the logs with correct certificate..

Comment 11 Geetika Kapoor 2016-04-04 11:58:49 UTC
Created attachment 1143311 [details]
correct_ipa.log

Comment 12 Jan Cholasta 2016-04-06 10:56:31 UTC
The CA certificate with subject name "O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate" is missing, hence the ipa-server-install error message.

Could you please attach the "cert" and "chain" files used in --external-cert-file as well?

Comment 13 Geetika Kapoor 2016-04-06 11:06:56 UTC
Signed Cert:


-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIBBTANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtleGFt
cGxlLm9yZzEeMBwGA1UEAwwVQ0EgU3Vib3JkaW5hdGVTaWduaW5nMB4XDTE2MDQw
NDExNTI1OFoXDTE4MDMyNTExNDc0OFowRjEkMCIGA1UECgwbSURNLkxBQi5FTkcu
UkRVMi5SRURIQVQuQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3m6Ww/hymmbHAFuRh+7cP
YNWoYt5eVk0CgPynHQguTnDwYjNroERY4w2+SQ8lowBaM/fTxQRJaRTcRqkuQg5d
LbqULUwp+Ea1xnifgJ6SF+XY+q2SyLi3gEBZY8W3UD0ML/2fdFtsQJnmrOwO2Zh5
7GjRp4Fs82QHkbMkjah3YiHWR0FiiGe4PZMFgPsFz07DoIjptxMR6SDbg6rqDyjF
T/bmdSTsrzKjygAUPAgymxQ1Xe2Hd3LtHGIhdZG41kSzgBl4xu/HLUhzc/8iWK2F
dMIljv5eWj5Ok+CcAEQeu1ZdL1fz3SN1hFmA7Ls2HQnLW9l2Zu/QmWNJxqgRL35N
AgMBAAGjgbgwgbUwHwYDVR0jBBgwFoAUo8bKJPVYz0ZdtXFMgEoNtGUVz8UwHQYD
VR0OBBYEFOkpalcPvGxPkGnPKFxHStJcJNNnMA8GA1UdEwEB/wQFMAMBAf8wDgYD
VR0PAQH/BAQDAgHGMFIGCCsGAQUFBwEBBEYwRDBCBggrBgEFBQcwAYY2aHR0cDov
L2drYXBvb3ItbG9jYWwub3MxLnBoeDIucmVkaGF0LmNvbToxODA4MC9jYS9vY3Nw
MA0GCSqGSIb3DQEBCwUAA4IBAQA65pCcoyk0J0bivpX0X0+jd6N3wR0fTFdu31NT
5CgibRNZQFZ8H56wYXYOkycEVUz+F7PEr6UiruAfbwoxoPEqyTKEZimQNnj5tlnw
NIHV1pa6kTpUg49k098y+ZQDwoWW/R+FGAKl/Tno1MPyfeXlvX5Z9i/PCsjYhRWP
SdZrFRpbWpzfT5iWrvfN4O12VBi8fxePg13V4kXfW6489C/Vj9U7x+SRJMs+nkUO
qLthUH6s8DSNC8cJLDfqCJQLsnCWhh9PS0B3iELvxF96d1YUw4tBgtIsNnA+fxIV
HKMOv9D3glL1ULW2D2mz02VoDGR7ZFWo3gFHBgZtvqK5DUO3
-----END CERTIFICATE-----


chain of ca:
-----------

-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBMjANBgkqhkiG9w0BAQsFADBPMSwwKgYDVQQKDCNvczEu
cGh4Mi5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA0MDQxMTQ3NDhaFw0xODAzMjUxMTQ3NDha
MDYxFDASBgNVBAoMC2V4YW1wbGUub3JnMR4wHAYDVQQDDBVDQSBTdWJvcmRpbmF0
ZVNpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/o2+82gN
mhAbpfM325cLpjHjxvAJn7QDHT/xC1FsPU6SE/P9yxpj8u0YJqzR08FNQYjd6aDh
V04wwFT7lPmE8ArV56wBceUInGdtQROEme6Zqx/znMELu6o4eewvjJNj+zYLYpNe
0Zq2lUGbcDfaglNoBPJiErC1T1UmAFX7PPDpnt6h2CH3uJJrEKxA2q7BhmHt5i7Q
7NSeBQWqpoFpe7v9gc4DDdPXPt2N+PcrYr6Yn1RQocW6E5cYSCnc84QEdiINWBTQ
gudV18MCT0V5vp0xeRcu54Yr1VESh8ah6PrAqGvET32L4SzsbisyP7h6Jv2j/bo0
kP6B6S5mIbR1AgMBAAGjgbcwgbQwHwYDVR0jBBgwFoAUniI2Y+YqeTO3ZNCvA/sU
Ce3WrkYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYE
FKPGyiT1WM9GXbVxTIBKDbRlFc/FMFEGCCsGAQUFBwEBBEUwQzBBBggrBgEFBQcw
AYY1aHR0cDovL2drYXBvb3ItbG9jYWwub3MxLnBoeDIucmVkaGF0LmNvbTo4MDgw
L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBACIgq2RYGKTvVevqHzZrjTj87yZL
sij44sqhJXAFdjRRqjcaPM34H/ecK+RPL42CLhVNnutaY+OkuZ2UeFer5CQ3pFvJ
VaLmy97PMythr2ldMkEfbtlKojUAc1Y/GyO/qynyIlgUdIvdeW9qdvhEnQzmhNEu
OcI0JQgMMOK2VKRPno8xfTqpNcGTLS+a0vL8fjBhjLxpoGDd5l3TjRfR+GE+5CV9
FsgeHsazZLuHiKYbfGbPG3pMM/vuNRMsLch5cPBC2BdF67FQoZDnR0irLF4EgEOs
TyCW9BAmyLfwR0yFOtoVSNYPjq3TQKwFzidoM2/mZZrIpocaxdqbJzAVG8Y=
-----END CERTIFICATE-----

Comment 14 Jan Cholasta 2016-04-07 08:24:04 UTC
OK, since you are apparently missing one of the required certificates ("O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate"), the error message is correct.

I'm leaving the bug open, because I think the error message should be improved to include subject name of the missing certificate for easier troubleshooting.

Comment 15 Geetika Kapoor 2016-04-07 09:02:09 UTC
Here in "chain of ca certificates" it has two certificates(CA and subCA) which is generated from dogtag.So chain is not missing.

Comment 16 Petr Vobornik 2016-04-07 10:16:56 UTC
In 'chain', I see only a cert with subject:
  Subject: O=example.org, CN=CA SubordinateSigning

It was issued by:
  Issuer: O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate

But the "O=os1.phx2.redhat.com Security Domain, CN=CA Signing Certificate" certificate is not present in 'chain' nor 'cert' file.

Comment 17 Petr Vobornik 2016-04-08 08:41:19 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5792

Comment 18 Geetika Kapoor 2016-04-11 06:27:58 UTC
This issue was occurring because once certificate chain was missing.Now i have added both the certificate chain but now when i check logs it has:

2016-04-11T06:02:25Z DEBUG stderr=
2016-04-11T06:02:25Z DEBUG Starting external process
2016-04-11T06:02:25Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-IDM-LAB-ENG-RDU2-REDHAT-COM/' '-L' '-n' 'IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA' '-a'
2016-04-11T06:02:25Z DEBUG Process finished, return code=255
2016-04-11T06:02:25Z DEBUG stdout=
2016-04-11T06:02:25Z DEBUG stderr=certutil: Could not find cert: IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found


But strange thing is there is nothing that we are doing if we get this stderr.
Is this okay? we are proceeding and doing further installation.

I have the setup scenario with me .I can share details .I am attaching ipa logs .

along with that i am also attaching certificates used.

/usr/sbin/ipa-server-install --external-cert-file=cert --external-cert-file=chain2 --external-cert-file=chain1

Comment 19 Geetika Kapoor 2016-04-11 06:28:51 UTC
Created attachment 1145837 [details]
certificates.txt

Comment 20 Geetika Kapoor 2016-04-11 06:30:03 UTC
Created attachment 1145838 [details]
ipa_11april.log

Comment 21 Geetika Kapoor 2016-04-14 11:11:02 UTC
In this case when i try to do an uninstall using ipa-server-install --uninstall -vv,it passed but it gives a traceback also.I am attaching traceback as well as full logs for uninstall also.

<snip>
ipa         : DEBUG    stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/ipa.service.

ipa         : DEBUG    Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa         : DEBUG    Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 91, in _handle_exception
    super(Continuous, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 71, in _uninstall
    for nothing in self._uninstaller(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1646, in main
    uninstall(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1148, in uninstall
    sys.exit(rv)
SystemExit: 0

ipa.ipapython.install.cli.uninstall_tool(Server): INFO     The ipa-server-install command was successful

Comment 22 Geetika Kapoor 2016-04-14 11:11:50 UTC
Created attachment 1147147 [details]
uninstall_log_april11_install

Comment 23 Petr Vobornik 2016-04-14 11:53:04 UTC
(In reply to Geetika Kapoor from comment #18)
> This issue was occurring because once certificate chain was missing.Now i
> have added both the certificate chain but now when i check logs it has:
> 
> 2016-04-11T06:02:25Z DEBUG stderr=
> 2016-04-11T06:02:25Z DEBUG Starting external process
> 2016-04-11T06:02:25Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/dirsrv/slapd-IDM-LAB-ENG-RDU2-REDHAT-COM/' '-L' '-n'
> 'IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA' '-a'
> 2016-04-11T06:02:25Z DEBUG Process finished, return code=255
> 2016-04-11T06:02:25Z DEBUG stdout=
> 2016-04-11T06:02:25Z DEBUG stderr=certutil: Could not find cert:
> IDM.LAB.ENG.RDU2.REDHAT.COM IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
> 
> 
> But strange thing is there is nothing that we are doing if we get this
> stderr.
> Is this okay? we are proceeding and doing further installation.

We are creating a dirsrv NSS database and adding the cert there. 


The traceback in uninstallation is expected.

Comment 24 Jan Cholasta 2016-06-23 05:34:14 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/517964f746e004801e5e73d61f3f5e16102b7299

Comment 26 Abhijeet Kasurde 2016-09-20 11:34:54 UTC
Verified using IPA version ::
ipa-server-4.4.0-12.el7.x86_64

Please find the attachment for verification logs. Marking BZ as verified.

Comment 27 Abhijeet Kasurde 2016-09-20 11:35:18 UTC
Created attachment 1202861 [details]
console.log

Comment 29 errata-xmlrpc 2016-11-04 05:52:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.