Red Hat Bugzilla – Bug 1445390
ipa-[ca|kra]-install with invalid DM password break replica
Last modified: 2017-08-01 05:50:15 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6892 CA and KRA replicas can be installed on a replica at a later point in time. The commands ```ipa-ca-install``` and ```ipa-kra-install``` asked for the Directory Manager password, but fail to validate that the password is correct. There is no safe way to recover from a bad password other than complete uninstallation of the entire replica. ``` $ ipa-client-install ... $ kinit admin $ ipa-replica-install ... $ ipa-ca-install $ ipa-ca-install Directory Manager (existing master) password: WrongPassword Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [3/25]: creating installation admin user [4/25]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpNKIUbr' returned non-ze1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. ```
Upstream ticket: https://pagure.io/freeipa/issue/6892
Fixed upstream master: https://pagure.io/freeipa/c/80d61c2e01bdce0ab805037bfc1ce8e9543d2b10 https://pagure.io/freeipa/c/7a4a368c5387569f6802b5b3ca0686ea20f1de7e https://pagure.io/freeipa/c/1b1bace75095cf7a26a56156ff537479ef4b9619 ipa-4-5: https://pagure.io/freeipa/c/282fc0c86474bafcb28234eabbd807b99a98adec https://pagure.io/freeipa/c/4c12b71717b2ca1d4af5018f77c07f8f4b4feca5 https://pagure.io/freeipa/c/b8bcaa61ec6c9effcf029f82ca21685b692e0b7f
Verified using IPA server version :: ipa-server-4.5.0-13.el7.x86_64 [root@ipaserver01 ~]# kdestroy -A [root@ipaserver01 ~]# ipa-ca-install Directory Manager (existing master) password: Directory Manager password is invalid [root@ipaserver01 ~]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/25]: creating certificate server db [2/25]: setting up initial replication [root@ipaserver01 ~]# kdestroy -A [root@ipaserver01 ~]# ipa-kra-install Directory Manager password: Directory Manager password is invalid The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information Marking BZ as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304