Description of problem: Install output: [root@jennyv2 yum.repos.d]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure TurboGears To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [jennyv2.bos.redhat.com]: The domain name has been calculated based on the host name. Please confirm the domain name [bos.redhat.com]: The IPA Master Server will be configured with Hostname: jennyv2.bos.redhat.com IP address: 10.16.0.47 Domain name: bos.redhat.com The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [BOS.REDHAT.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: [1/18]: creating directory server user [2/18]: creating directory server instance [3/18]: adding default schema [4/18]: enabling memberof plugin [5/18]: enabling referential integrity plugin [6/18]: enabling winsync plugin [7/18]: enabling ldapi [8/18]: configuring uniqueness plugin [9/18]: creating indices [10/18]: configuring ssl for ds instance Unexpected error - see ipaserver-install.log for details: File contains no section headers. file: /var/lib/ipa/ca_serialno, line: 1 '1051' Install log: 2009-09-18 16:34:29,684 DEBUG File contains no section headers. file: /var/lib/ipa/ca_serialno, line: 1 '1051' File "/usr/sbin/ipa-server-install", line 775, in ? sys.exit(main()) File "/usr/sbin/ipa-server-install", line 655, in main ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, gidstart=options. gidstart) File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 192, in create_instance self.start_creation("Configuring directory server:") File "/usr/lib/python2.4/site-packages/ipaserver/install/service.py", line 171, in start_creation method() File "/usr/lib/python2.4/site-packages/ipaserver/install/dsinstance.py", line 334, in __enable_ssl cadb.create_self_signed() File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 834, in create_self_signed self.create_ca_cert() File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 344, in create_ca_cert p = subprocess.Popen(["/usr/bin/certutil", File "/usr/lib/python2.4/site-packages/ipaserver/install/certs.py", line 120, in next_serial parser.readfp(fp) File "/usr/lib/python2.4/ConfigParser.py", line 286, in readfp self._read(fp, filename) File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read raise MissingSectionHeaderError(fpname, lineno, line) Version-Release number of selected component (if applicable): How reproducible: ipa-server-2.0-4.20090918.el5ipa Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
It seems that the reason is that you had an old /var/lib/ipa/ca_serialno file on your machine. A recent patch changed the format of this file and ipa-server-install --uninstall didn't delete it, therefore the installation failed because it didn't recognize the file. I will address the issue, but for now I'm lowering the priority and severity, as this bug has an easy work-around.
I guess ideally we'll handle both formats and initialize the new format with the old CA serial number. The reason that the file isn't deleted on uninstall is so if you install again you get new serial numbers for all the certs and avoid errors where you have the same cert (and serial number) but different keys.
In that case this is NOTABUG. The error Jenny encountered was there because the format of that file changed. Rob, do you think it would at least be worth it marking the file a %ghost?
Well, I think we should handle it a bit more gracefully than a backtrace in any case. Yes, probably worth making this a %ghost file.
https://fedorahosted.org/freeipa/ticket/240
Fixed in a67b524510f66ce112192261f60adf88d07fa96c.