Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 524319

Summary: IPA server Install fails with error in /var/lib/ipa/ca_serialno
Product: [Retired] freeIPA Reporter: Jenny Severance <jgalipea>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0CC: benl, dpal, jgalipea, mgregg, mkosek, rcritten, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:30:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2009-09-18 20:43:29 UTC 
Description of problem:

Install output:

[root@jennyv2 yum.repos.d]# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup the IPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure TurboGears

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [jennyv2.bos.redhat.com]: 

The domain name has been calculated based on the host name.

Please confirm the domain name [bos.redhat.com]: 

The IPA Master Server will be configured with
Hostname:    jennyv2.bos.redhat.com
IP address:  10.16.0.47
Domain name: bos.redhat.com

The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [BOS.REDHAT.COM]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server:
  [1/18]: creating directory server user
  [2/18]: creating directory server instance
  [3/18]: adding default schema
  [4/18]: enabling memberof plugin
  [5/18]: enabling referential integrity plugin
  [6/18]: enabling winsync plugin
  [7/18]: enabling ldapi
  [8/18]: configuring uniqueness plugin
  [9/18]: creating indices
  [10/18]: configuring ssl for ds instance
Unexpected error - see ipaserver-install.log for details:
 File contains no section headers.
file: /var/lib/ipa/ca_serialno, line: 1
'1051'

Install log:

2009-09-18 16:34:29,684 DEBUG File contains no section headers.
file: /var/lib/ipa/ca_serialno, line: 1
'1051'
  File "/usr/sbin/ipa-server-install", line 775, in ?
    sys.exit(main())

  File "/usr/sbin/ipa-server-install", line 655, in main
    ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, gidstart=options.
gidstart)

  File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 192, in create_instance
    self.start_creation("Configuring directory server:")

  File "/usr/lib/python2.4/site-packages/ipaserver/install/service.py", line 171, in start_creation
    method()

  File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 334, in __enable_ssl
    cadb.create_self_signed()

  File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 834, in create_self_signed
    self.create_ca_cert()

  File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 344, in create_ca_cert
    p = subprocess.Popen(["/usr/bin/certutil",

  File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 120, in next_serial
    parser.readfp(fp)

  File "/usr/lib/python2.4/ConfigParser.py", line 286, in readfp
    self._read(fp, filename)

  File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read
    raise MissingSectionHeaderError(fpname, lineno, line)


Version-Release number of selected component (if applicable):


How reproducible:
ipa-server-2.0-4.20090918.el5ipa

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Martin Nagy 2009-09-18 21:28:21 UTC 
It seems that the reason is that you had an old /var/lib/ipa/ca_serialno file on your machine. A recent patch changed the format of this file and ipa-server-install --uninstall didn't delete it, therefore the installation failed because it didn't recognize the file.

I will address the issue, but for now I'm lowering the priority and severity, as this bug has an easy work-around.
Comment 4 Rob Crittenden 2009-09-23 12:54:58 UTC 
I guess ideally we'll handle both formats and initialize the new format with the old CA serial number.

The reason that the file isn't deleted on uninstall is so if you install again you get new serial numbers for all the certs and avoid errors where you have the same cert (and serial number) but different keys.
Comment 5 Martin Nagy 2009-09-23 13:06:12 UTC 
In that case this is NOTABUG. The error Jenny encountered was there because the format of that file changed. Rob, do you think it would at least be worth it marking the file a %ghost?
Comment 6 Rob Crittenden 2009-09-23 14:00:02 UTC 
Well, I think we should handle it a bit more gracefully than a backtrace in any case.

Yes, probably worth making this a %ghost file.
Comment 7 Rob Crittenden 2010-09-21 17:49:07 UTC 
https://fedorahosted.org/freeipa/ticket/240
Comment 8 Martin Kosek 2011-03-22 11:20:27 UTC 
Fixed in a67b524510f66ce112192261f60adf88d07fa96c.