Created attachment 1167955 [details] ipaserver-install.log Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/28]: creating certificate server user [2/28]: configuring certificate server instance [3/28]: stopping certificate server instance to update CS.cfg [4/28]: backing up CS.cfg [5/28]: disabling nonces [6/28]: set up CRL publishing [7/28]: enable PKIX certificate path discovery and validation [8/28]: starting certificate server instance [9/28]: creating RA agent certificate database [10/28]: importing CA chain to RA certificate database [11/28]: fixing RA database permissions [12/28]: setting up signing cert profile [13/28]: setting audit signing renewal to 2 years [14/28]: restarting certificate server [15/28]: requesting RA certificate from CA [16/28]: issuing RA agent certificate [error] KeyError: 'b64_cert' ipa.ipapython.install.cli.install_tool(Server): ERROR 'b64_cert' Post CSR generation, not sure how to proceed. Very unhappy about this not being a more module installation, as minor common problems demand a full uninstall and reinstall.. which then requires a resign every time, dramatically increasing troubleshooting time.
IPA packages are from RHEL 7 repository, versioned 4.2.0-15 el7_2.15
Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to issue the agent certificate (it threw java.lang.NullPointerException).
Created attachment 1167958 [details] pki-ca-spawn.20160614152851.log
Created attachment 1167959 [details] localhost.2016-06-14.log
Created attachment 1167960 [details] catalina.2016-06-14.log
Created attachment 1167961 [details] debug
(In reply to Rob Crittenden from comment #2) > Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to > issue the agent certificate (it threw java.lang.NullPointerException). I was unable to identify anything of significance, please let me know if more logs would be helpful.
The error appears to be related to the DN's in some manner, I was able to at least pass the CA Installation section by not adding this option when installing. --subject 'C=US,ST=Ohio,O=AmTrust North America\, Inc.,OU=Servers,OU=Infrastructure,OU=IT' As even when I used no external CA to sign, it still resulted in the error when I used that option. I'm now attempting to install using no subject, signing it anyway, and hoping that somehow it works anyway.
I came to the same conclusion about the subject. From the debug log: [14/Jun/2016:15:30:07][http-bio-8443-exec-5]: java.io.IOException: Unknown AVA keyword 'INC.,ST'. CCing a CA developer to see if he knows if this is a dogtag issue, an IPA issue or perhaps no escaping is needed.
It looks like while processing the subject DN the attribute order is reversed, then it is parsed incorrectly due to the comma in the O attribute causing the 'INC.,ST' to be considered an LDAP attribute, which is invalid. Could you try again without the comma in the O attribute to confirm the problem? Please reassign the bug to pki-core. Thanks.
I can confirm, the comma was the problem with the subject alternate. The installation worked as expected for this section using, --subject 'C=US,ST=Ohio,O=AmTrust North America Inc.,OU=Servers,OU=Infrastructure,OU=IT'
Per PKI Bug Council of 06/23/2016: RHEL 7.4
Upstream ticket: https://fedorahosted.org/pki/ticket/2379
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Upstream commit: e634316eb7f2aedc65fe528fb572b15e1bdc1eb2
*** This bug has been marked as a duplicate of bug 1541853 ***