Created attachment 1451883 [details] The httpd error_log file. Description of problem: I would like to install a Free IPA server on Fedora 28, but each installation fails with an error that results in the Apache server that is unable to start due to some problems with the httpd.key file. Version-Release number of selected component (if applicable): Fresh installation of Fedora 28 with/without updates freeipa-server 4.6.90.pre2 How reproducible: Always Steps to Reproduce: 1. Install Fedora 28 into a VM. 2. Set the hostname (ipa) and set up the /etc/hosts for IPA (ipa.example.com) 3. Install the freeipa-server package. 4. Run `ipa-install-server` command. 5. Answer the questions of the installation: No internal DNS, hostname ipa.example.com, domain example.com, realm EXAMPLE.COM and the passwords. 6. Wait for the error to appear in the httpd section. Actual results: Installation fails. Expected results: Installation should run and finish with no problems. The previous procedure succeeds on Centos 7. Additional info: See the log files.
Created attachment 1451884 [details] The IPA installation log.
Can you give more details on what is your actual hostname for the IPA master? The issue 7528 on pagure which you commented on is about non-FQDN hostname case. You claim above that your hostname is 'ipa.example.com', is it so or just a result of logs cleansing?
The issue is caused by a problem with decrypting the private key of the server certificate: AH02580: Init: Pass phrase incorrect for key ipa.example.com:443:0 AH02564: Failed to configure encrypted (?) private key ipa.example.com:443:0, check /var/lib/ipa/private/httpd.key The issue may be caused by the a change in Apache mod_ssl. FreeIPA's SSLPassPhraseDialog script /usr/libexec/ipa/ipa-httpd-pwdreader doesn't support the new syntax 4.8.9 "ipa.example.com:443:0" yet, see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog . What version of Apache are you running?
What is the value for SSLPassPhraseDialog on your system? It should point to FreeIPA's password reader script: # grep -Ri SSLPassPhraseDialog /etc/httpd/ /etc/httpd/conf.d/ssl.conf:SSLPassPhraseDialog exec:/usr/libexec/ipa/ipa-httpd-pwdreader
(In reply to Christian Heimes from comment #3) > The issue may be caused by the a change in Apache mod_ssl. FreeIPA's > SSLPassPhraseDialog script /usr/libexec/ipa/ipa-httpd-pwdreader doesn't > support the new syntax 2.8.9 "ipa.example.com:443:0" yet, see > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog . > What version of Apache are you running? Fedora 28 has mod_ssl-2.4.33-5.fc28.x86_64, which means the passphrase dialog executable is called with two arguments: "host:port algo". For a moment I was confused by the fact that the log still contains the old syntax "ipa.example.com:443:0". Algorithm 0 is RSA.
A Debian user reported a similar error and the issue is that $HOSTNAME in the script may not match the FQDN passed in so no password is returned and the key cannot be decrypted.
Hello, I am sorry, but this might have also been a PEBKAC. I expected that the IPA hostname would be merged of the actual hostname from the /etc/hostname and of the record in /etc/hosts file. Today, I was told that also the record in /etc/hostname must be fully qualified and consist of all three parts. Ergo it cannot be "ipa" but it must be "ipa.example.com". So, when I set my hostname to ipa.exaple.com, and then I run the installation command: ipa-server-install -U -a secret123 -p secret123 --setup-dns -n example.com -r EXAMPLE.COM --allow-zone-overlap --forwarder <IP> The IPA installation finishes successfully and I can obtain the admin Kerberos ticket. I do apologize for any problems and suggest to close this bug, unless you have something to add. What do you think?
This is rather difficult to debug. I think, if possible, we should have some mechanism so this type of mismatch is more obvious and discoverable.
Thanks to all. This thread save me hours of no clue struggle.
Upstream ticket: https://pagure.io/freeipa/issue/7528
I haven't yet been able to duplicate this. The password script uses $HOSTNAME so gets set whenever bash is invoked. I tried setting the hostname to the shortname (ipa), rebooting, setting to ipa.example.com using hostname and then installing IPA and it worked fine. I suspect that replacing $HOSTNAME with $(hostname -f) is the right fix for this but I will only be able to confirm that it is still working.
Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/3b226d8b90d032a46809cfb0d045f62940805e86 master: https://pagure.io/freeipa/c/e3820682c797c8dca86767dc347290f54f872a7c
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fixed in 4.7.2