Bug 1347112 - IPA 4.2.0 while Replica install "Could not find a CA cert"
Summary: IPA 4.2.0 while Replica install "Could not find a CA cert"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-16 05:33 UTC by ozmen62
Modified: 2016-06-22 17:19 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-22 17:19:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
ipareplica-install (57.75 KB, text/plain)
2016-06-20 05:51 UTC, ozmen62 		no flags Details
install log with strace (1.87 MB, text/plain)
2016-06-20 05:52 UTC, ozmen62 		no flags Details
View All

Description ozmen62 2016-06-16 05:33:51 UTC 
Description of problem:

While replica install it can setup ca files from /tmp/tmp.... directory until some point. After that install script remove file by using unlink. That couses a problem. Because further install proccess is looking for same files, but isn't able to find it in /tmp/tmp.. directory

Version-Release number of selected component (if applicable):
OS = CentOS 7.2.1511 Updated (Both Master and Replica)
IPA = 4.2.0 API=2.156 (Both Master and Replica)


How reproducible:

To reproduce that need to go around some previus problems

First,

- take a copy of /etc/ipa/ca.cer
as PEM format. Because prepare script makes it changed in to binary file

# touch /root/cacerts.p12 
"because prepare scripts looks for it" and "makes it changed"

- as decribed in formal redhat 7 replica doc
- run prepare script on master
- cp gpg file to replica with scp on master
- install ipa-server and ipa-dns-server on replica
- run ipa-replica-install --setup-ca --setup-dns --no-forvarder /path/replica.example.com.gpg



Actual results:

File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 634, in create_from_pkcs12
    raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)

2016-06-15T13:42:30Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Could not find a CA cert in /tmp/tmp80pzXcipa/realm_info/dscert.p12
2016-06-15T13:42:30Z ERROR Could not find a CA cert in /tmp/tmp80pzXcipa/realm_info/dscert.p12

if you do setup with strace you can see that in middle of the process

lstat("/tmp/tmpfDD_Lzipa/realm_info/dirsrv_pin.txt", {st_mode=S_IFREG|0644, st_size=1, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/dirsrv_pin.txt") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/cacert.p12", {st_mode=S_IFREG|0644, st_size=12404, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/cacert.p12") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/dscert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/dscert.p12") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/dogtagcert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/dogtagcert.p12") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/dogtag_directory_port.txt", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/dogtag_directory_port.txt") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/http_pin.txt", {st_mode=S_IFREG|0644, st_size=1, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/http_pin.txt") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt.orig", {st_mode=S_IFREG|0400, st_size=40, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt.orig") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt", {st_mode=S_IFREG|0600, st_size=40, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/pwdfile.txt") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/httpcert.p12", {st_mode=S_IFREG|0600, st_size=2746, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/httpcert.p12") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/ra.p12", {st_mode=S_IFREG|0600, st_size=3578, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/ra.p12") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/ca.crt", {st_mode=S_IFREG|0444, st_size=12404, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/ca.crt") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/preferences.html", {st_mode=S_IFREG|0644, st_size=3089, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/preferences.html") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/configure.jar", {st_mode=S_IFREG|0644, st_size=3411, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/configure.jar") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/default.conf", {st_mode=S_IFREG|0644, st_size=248, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/default.conf") = 0
lstat("/tmp/tmpfDD_Lzipa/realm_info/realm_info", {st_mode=S_IFREG|0644, st_size=167, ...}) = 0
unlink("/tmp/tmpfDD_Lzipa/realm_info/realm_info") = 0
rmdir("/tmp/tmpfDD_Lzipa/realm_info")   = 0
rmdir("/tmp/tmpfDD_Lzipa")     




Expected results:

Success
Comment 1 ozmen62 2016-06-16 05:37:42 UTC 
in actual result, i paste different install procces result.

it should be like this

2016-06-15T13:42:30Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Could not find a CA cert in /tmp/tmpfDD_Lzipa/realm_info/dscert.p12
2016-06-15T13:42:30Z ERROR Could not find a CA cert in /tmp/tmpfDD_Lzipa/realm_info/dscert.p12
Comment 2 Petr Vobornik 2016-06-17 16:06:30 UTC 
The temp folder should contain content of the replica file generated by ipa-replica-prepare util.So it is expected that it will be eventually deleted/unlinked.

Isn't the unlinking done in cleanup after failed installation?

Could you attach ipareplica-install.log?
Comment 3 ozmen62 2016-06-20 05:51:43 UTC 
Created attachment 1169675 [details]
ipareplica-install
Comment 4 ozmen62 2016-06-20 05:52:24 UTC 
Created attachment 1169676 [details]
install log with strace
Comment 5 Petr Vobornik 2016-06-22 17:19:13 UTC 
Is fixed in FreeIPA 4.2.4: https://fedorahosted.org/freeipa/ticket/5598

http://koji.fedoraproject.org/koji/buildinfo?buildID=746422
Note You need to log in before you can comment on or make changes to this bug.