Bug 1956550 - IPA server installation fails when cert contains non-ASCII character
Summary: IPA server installation fails when cert contains non-ASCII character
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.9
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Michal Polovka
QA Contact: ipa-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-03 21:56 UTC by Bijesh Thekkepat
Modified: 2021-05-11 12:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Comment 4 Rob Crittenden 2021-05-03 22:09:50 UTC
It is failing while configuring the client parts on the server. Please attach /var/log/ipaclient-install.log as well.

Comment 5 Bijesh Thekkepat 2021-05-03 22:13:23 UTC
Hello Rob,

Yes, the client part fails as well.
ipaclient-install-02930848.log is already attached, Comment 3

Let me know if you want it reattached.

Comment 6 Rob Crittenden 2021-05-04 15:51:34 UTC
Sorry, I loaded the BZ before all attachments had been made.

It is failing trying to add a certificate to /etc/ipa/nssdb, the shared IPA system NSS database. The certutil command-line is logged after obfuscating any possible secrets and it is failing in that obfuscation step on the upper-case eñe (unicode /xd1) in the issuer subject.

Can you provide the output of:

ldapsearch -x -D 'cn=directory manager' -W -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=test

replacing the dc's with the appropriate values for your domain?

Note You need to log in before you can comment on or make changes to this bug.