Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this ->
Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com
When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below ->
NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US"
The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point ->
[IPA installer log]
2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
[Apache error log]
[Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US'
However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64.
The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py ->
1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
2. Edit installutils.py and look for the following code at line 390 ->
389 if quotes:
390 newfile.append('%s%s"%s"\n' % (directive,separator, value))
[Change line 390 to]:
newfile.append('%s%s\'%s\'\n' % (directive,separator, value))
This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU ->
# diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
--- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig 2016-03-23 16:44:52.627394610 -0700
+++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2016-03-24 13:20:34.058402844 -0700
@@ -387,7 +387,7 @@
valueset = True
if value is not None:
if quotes:
- newfile.append('%s%s"%s"\n' % (directive, separator, value))
+ newfile.append('%s%s\'%s\'\n' % (directive, separator, value))
else:
newfile.append('%s%s%s\n' % (directive, separator, value))
else:
With the change, 'NSSNickname' in nss.conf now looks like this post-install ->
# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2304
Description of problem: A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this -> Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below -> NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US" The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point -> [IPA installer log] 2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 [Apache error log] [Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US' However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64. The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py -> 1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2. Edit installutils.py and look for the following code at line 390 -> 389 if quotes: 390 newfile.append('%s%s"%s"\n' % (directive,separator, value)) [Change line 390 to]: newfile.append('%s%s\'%s\'\n' % (directive,separator, value)) This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU -> # diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py --- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig 2016-03-23 16:44:52.627394610 -0700 +++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2016-03-24 13:20:34.058402844 -0700 @@ -387,7 +387,7 @@ valueset = True if value is not None: if quotes: - newfile.append('%s%s"%s"\n' % (directive, separator, value)) + newfile.append('%s%s\'%s\'\n' % (directive, separator, value)) else: newfile.append('%s%s%s\n' % (directive, separator, value)) else: With the change, 'NSSNickname' in nss.conf now looks like this post-install -> # grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'