Description of problem:
A CA-less IPA server installation will fail when using external certificates with UTF8 field values that encapsulate RDN components in double quotes, like this ->
Subject: C=US, ST=CA, O="EXAMPLE DOT COM", CN=ipa1.example.com
When Apache is configured during installation, this subject is used as the value to the 'NSSNickname' directive in /etc/httpd/conf.d/nss.conf and is written to the file as below ->
NSSNickname "CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US"
The installer code will encapsulate a value that contains spaces in double quotes as required by mod_nss. The issue here is that the value itself also includes double quotes; this causes Apache to throw an error when it is restarted, and the overall IPA installation fails at this point ->
[IPA installer log]
2016-03-24T02:41:09Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
2016-03-24T02:41:09Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
[Apache error log]
[Thu Mar 24 10:00:12.309299 2016] [:error] [pid 21470] Certificate not found: 'CN=ipa1.example.com,O="EXAMPLE DOT COM",ST=CA,C=US'
However, Apache starts up just fine when the value is surrounded by single quotes instead in nss.conf. I confirmed this on ipa-server-4.2.0-15.el7_2.6.x86_64.
The workaround is a slight modification to the installer script /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py ->
1. Create a back-up of /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
2. Edit installutils.py and look for the following code at line 390 ->
389 if quotes:
390 newfile.append('%s%s"%s"\n' % (directive,separator, value))
[Change line 390 to]:
newfile.append('%s%s\'%s\'\n' % (directive,separator, value))
This will encapsulate the Subject value with single quotes instead of double-quotes. This change allowed my installation to complete when tested and was also verified by a CU ->
# diff -u /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
--- /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py.orig 2016-03-23 16:44:52.627394610 -0700
+++ /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py 2016-03-24 13:20:34.058402844 -0700
@@ -387,7 +387,7 @@
valueset = True
if value is not None:
- newfile.append('%s%s"%s"\n' % (directive, separator, value))
+ newfile.append('%s%s\'%s\'\n' % (directive, separator, value))
newfile.append('%s%s%s\n' % (directive, separator, value))
With the change, 'NSSNickname' in nss.conf now looks like this post-install ->
# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname 'CN=ipa1.example.com,O=\"EXAMPLE DOT COM\",ST=CA,C=US'
Please see logs attached.
Created attachment 1284415 [details]
Bug 1321652 logs
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.