Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 509111

Summary: Can't install replica on F11
Product: [Retired] freeIPA Reporter: Martin Nagy <mnagy>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0CC: benl, dpal, edewata, hripps, jgalipea, redhat-bugzilla, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:29:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 509132    
Bug Blocks:    
Attachments:
Description Flags
Use pk12util to find CAs to trust instead of certutil none

Description Martin Nagy 2009-07-01 12:40:10 UTC
Description of problem:
Replication is broken.

Version-Release number of selected component (if applicable):
Latest version from git, on Fedora 11.

How reproducible:
ipa-replica-install

  
Actual results:
Installation fails when trying to restart the 389 server:
2009-07-01 04:11:59,777 INFO [01/Jul/2009:04:11:49 -0400] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8179 - Peer's Certificate issuer is not recognized.)
[01/Jul/2009:04:11:49 -0400] - SSL failure: None of the cipher are valid

Comment 1 Rob Crittenden 2009-07-01 13:42:39 UTC
The good news is I know why it is failing. The bad news is it is because of a change in the NSS certutil utility.

The CA cert is getting imported into the 389 database ok but it is marked as untrusted. In older versions of NSS we'd use certutil -O -n Server-Cert to print the chain of the certificate to get the CA nickname to add CA trust to.

It would appear that the NSS in F-11 only prints those in the chain that are already trusted. So we need to find another way to identify which CA(s) to trust.

Comment 2 Rob Crittenden 2009-07-01 14:11:39 UTC
Ideally this will be fixed in certutil, filed bug 509132

Comment 3 Rob Crittenden 2009-07-15 14:22:40 UTC
If you are using an NSS self-signed certificate (the default when installing) then you can modify /usr/lib/python2.6/site-packages/ipaserver/install/certs.py and make the following change:

--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -584,6 +584,7 @@ class CertDB(object):
         self.set_perms(self.pwd_conf, uid="apache")
 
     def find_root_cert(self, nickname):
+        return "CA certificate"
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
                               "-O", "-n", nickname], stdout=subprocess.PIPE)

This should do the trick.

Comment 4 Rob Crittenden 2009-07-23 21:53:25 UTC
Created attachment 354934 [details]
Use pk12util to find CAs to trust instead of certutil

This patch is against the master branch.

Use the output of pk12util -l to find the CAs to trust instead of certutil -O

Comment 5 Ed Voncken 2009-08-06 08:46:21 UTC
FYI: The exact same problem exists on Fedora 10.

# rpm -q ipa-server nss-tools
ipa-server-1.2.1-2.fc10.x86_64
nss-tools-3.12.3.99.3-2.10.4.fc10.x86_64


Workaround to make ipa-replica-install succeed (Rob's patch modified for F10):

# pwd
/usr/lib/python2.5/site-packages/ipaserver
# rcsdiff -u certs.py
===================================================================
RCS file: RCS/certs.py,v
retrieving revision 1.1
diff -u -r1.1 certs.py
--- certs.py	2009/08/06 08:24:29	1.1
+++ certs.py	2009/08/06 08:25:16
@@ -305,6 +305,7 @@
         self.set_perms(self.pin_fname)
 
     def find_root_cert(self, nickname):
+        return "CA certificate"
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
                               "-O", "-n", nickname], stdout=subprocess.PIPE)

Comment 6 Rob Crittenden 2009-09-03 17:22:16 UTC
ipa-1-2: 8ab2977eeb79571ed6f976a12a51ed2b75cdc12b

Comment 7 Fedora Update System 2009-09-10 21:20:03 UTC
ipa-1.2.2-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc10

Comment 8 Fedora Update System 2009-09-10 21:20:26 UTC
ipa-1.2.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc11

Comment 9 Fedora Update System 2009-09-19 00:05:56 UTC
ipa-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-09-19 00:10:38 UTC
ipa-1.2.2-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.