RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 671058 - ipa2 - ipa-server-install fails on pkisilent - xml parsing string -- ?
Summary: ipa2 - ipa-server-install fails on pkisilent - xml parsing string -- ?
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-20 05:01 UTC by Marc Sauton
Modified: 2011-05-19 13:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:44:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
proposed fix for "xml.vm" diffs (842 bytes, patch)
2011-01-20 20:05 UTC, Matthew Harmsen
no flags Details | Diff
proposed fix for "xml.vm" comments (1.64 KB, patch)
2011-01-20 20:25 UTC, Matthew Harmsen
jdennis: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0631 0 normal SHIPPED_LIVE new package: ipa 2011-05-18 17:55:55 UTC

Description Marc Sauton 2011-01-20 05:01:15 UTC
Description of problem:

searched for existing reports in ipa user and devel list, in trac and bz, could not locate similar issues, may be this is a dup:

ipa-server-install fails on pkisilent with an "Unexpected error" in step 4/16 for the CA

it seem like there may be some missing \r\n for the base 64 blobs header and footer in certificates for
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----

may be in
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py

error in /var/log/ipaserver-install.log
...
2011-01-19 20:35:29,563 INFO stderr=[Fatal Error] :1:8: The string "--" is not permitted within comments.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
        at ParseXML.parse(ParseXML.java:43)
        at ConfigureCA.LoginPanel(ConfigureCA.java:235)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1199)
        at ConfigureCA.main(ConfigureCA.java:1746)
[Fatal Error] :1:8: The string "--" is not permitted within comments.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments.

I added a
ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat6/lib/xalan-j2-serializer.jar
but this did not change anything.


Version-Release number of selected component (if applicable):

Fedora release 14 (Laughlin)
Linux ipaserver1.example.com 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

ipa-admintools-2.0-0.2011011909git902bd90.fc14.x86_64
ipa-pki-common-theme-9.0.1-1.20110119T2054z.fc14.noarch
ipa-pki-ca-theme-9.0.1-1.20110119T2054z.fc14.noarch
ipa-client-2.0-0.2011011909git902bd90.fc14.x86_64
ipa-server-2.0-0.2011011909git902bd90.fc14.x86_64
ipa-python-2.0-0.2011011909git902bd90.fc14.x86_64
ipa-server-selinux-2.0-0.2011011909git902bd90.fc14.x86_64

alternatives --config java
*+ 1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java


How reproducible:
always


Steps to Reproduce:
1. get a system with F14
2. add repo http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo
3. enable fedora-updates-testing.repo
4. add some utils
yum install -y ntpdate bind-utils rsync openssh-clients openldap-clients wget tigervnc-server lsof xterm twm xorg-x11-fonts-Type1 java-1.6.0-openjdk-devel firefox
yum install -y dbus subversion vim screen
5. yum update
6. reboot
7. yum install ipa-server bind caching-nameserver
8. ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton

  
Actual results:

ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipaserver1.example.com]:

The IPA Master Server will be configured with
Hostname:    ipaserver1.example.com
IP address:  10.14.5.16
Domain name: example.com

The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The set up procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Configuring certificate server: Estimated time 6 minutes
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: restarting certificate server
  [4/16]: configuring certificate server instance
root        : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipaserver1.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Et7DLU -client_certdb_pwd 'XXXXXXXX' -preop_pin qdpOMgnf18GByOcik8p3 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_XXXXXXXX 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=EXAMPLE.COM" -ldap_host ipaserver1.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_XXXXXXXX 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=EXAMPLE.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=EXAMPLE.COM" -ca_server_cert_subject_name "CN=ipaserver1.example.com,O=EXAMPLE.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=EXAMPLE.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=EXAMPLE.COM" -external false -clone false' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed
[root@ipaserver1 ~]#


Expected results:


Additional info:

first visible error in
/var/log/ipaserver-install.log
...
Posting Query = https://ipaserver1.example.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Thu, 20 Jan 2011 04:34:15 GMT
RESPONSE HEADER:  Connection: close
ERROR: unable to parse xml
ERROR XML = ertificate Chain</Name></Panel><Panel><Id>restorekeys</Id><Name>Import Keys and Certificates</Name></Panel><Panel><Id>cahierarchy</Id><Name>PKI Hierarchy</Name></Panel><Panel><Id>database</Id><Name>Internal Database</Name></Panel><Panel><Id>size</Id><Name>Key Pairs</Name></Panel><Panel><Id>subjectname</Id><Name>Subject Names</Name></Panel><Panel><Id>certrequest</Id><Name>Requests and Certificates</Name></Panel><Panel><Id>backupkeys</Id><Name>Export Keys and Certificates</Name></Panel><Panel><Id>savepk12</Id><Name>Save Keys and Certificates</Name></Panel><Panel><Id>importcachain</Id><Name>Import CA's Certificate Chain</Name></Panel><Panel><Id>admin</Id><Name>Administrator</Name></Panel><Panel><Id>importadmincert</Id><Name>Import Administrator's Certificate</Name></Panel><Panel><Id>done</Id><Name>Done</Name></Panel></Vector></panels><p>1</p><name>CA Setup Wizard</name><oms><Vector></Vector></oms><defTok>Internal Key Storage Token</defTok><req></req><panelname>module</panelname>
</response>

and toward the last entries:

ERROR: Tag=CertReqPair has no values
ERROR: Tag=CertReqPair has no values
ERROR: Tag=CertReqPair has no values
req_list_size=0
cert_list_size=0
dn_list_size=0
ca_cert_name=CN=Certificate\ Authority,O=EXAMPLE.COM
ocsp_cert_name=CN=OCSP\ Subsystem,O=EXAMPLE.COM
ca_subsystem_cert_name=CN=CA\ Subsystem,O=EXAMPLE.COM
server_cert_name=CN=ipaserver1.example.com,O=EXAMPLE.COM
audit_signing_cert_name=CN=CA\ Audit,O=EXAMPLE.COM
ca_cert_req=null
ocsp_cert_req=null
ca_subsystem_cert_req=null
server_cert_req=null
ca_audit_siging_cert_req=null
ca_cert_cert=null
ocsp_cert_cert=null
ca_subsystem_cert_cert=null
server_cert_cert=null
ca_audit_signing_cert_cert=null
Sleeping for 5 secs..
Exception in CertificatePanel(): java.lang.NullPointerException
ERROR: ConfigureCA: CertificatePanel() failure
ERROR: unable to create CA

#######################################################################

2011-01-19 20:35:29,563 INFO stderr=[Fatal Error] :1:8: The string "--" is not permitted within comments.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
        at ParseXML.parse(ParseXML.java:43)
        at ConfigureCA.LoginPanel(ConfigureCA.java:235)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1199)
        at ConfigureCA.main(ConfigureCA.java:1746)
[Fatal Error] :1:8: The string "--" is not permitted within comments.
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments.


grep "\-\-" /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py
            args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name]
                """sd = security domain -->  all CS systems get registered to
            print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
        out = out.replace('-----BEGIN CERTIFICATE-----', '')
        out = out.replace('-----END CERTIFICATE-----', '')
        self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','')
        self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','')
            st = certs.find('-----BEGIN', en)
            en = certs.find('-----END', en+1)
                         "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])

Comment 2 John Dennis 2011-01-20 15:14:13 UTC
looks like this SVN checkin is the culprit

r1738 | mharmsen | 2011-01-17 14:59:20 -0500 (Mon, 17 Jan 2011) | 2 lines

dogtag/common-ui/shared/admin/console/config/xml.vm

These two strings are not valid for XML comments

--- BEGIN COPYRIGHT BLOCK ---
--- END COPYRIGHT BLOCK ---

XML comments must not contain the string "--" anywhere in the comment.

When the XML parser tries to read this file it throws an exception because of invalid XML syntax.

In other XML copyright blocks I've done recently I've just used:

BEGIN COPYRIGHT BLOCK
END COPYRIGHT BLOCK

I see some other XML files do this:

### BEGIN COPYRIGHT BLOCK ###
### END COPYRIGHT BLOCK ###

Not sure if one is preferred over the other, also not sure if the above config file is the only example with the bad syntax or not.

Comment 3 John Dennis 2011-01-20 15:22:26 UTC
Marc:

FYI:

> I added a
> ln -s /usr/share/java/xalan-j2-serializer.jar
> /usr/share/tomcat6/lib/xalan-j2-serializer.jar
> but this did not change anything.

After the tomcat6 port we no longer modify anything in the tomcat installation, things like this are now legacy. The jars are exclusively set up in the tomcat *instance* area, e.g.

/var/lib/pki-ca/common/lib/
/var/lib/pki-ca/webapps/ca/WEB-INF/lib

If this had been a problem with a missing jar then the error would have been a ClassDefNotFound exception and the solution would have been to add a symbolic link to the missing jar in one of the two above instance directories.

Comment 4 Marc Sauton 2011-01-20 17:59:18 UTC
understood, it was one of the various things i tried, in doubt.
but thx for clarifying and providing more explanations!

Comment 5 Matthew Harmsen 2011-01-20 20:05:40 UTC
Created attachment 474527 [details]
proposed fix for "xml.vm" diffs

Comment 6 Matthew Harmsen 2011-01-20 20:25:38 UTC
Created attachment 474531 [details]
proposed fix for "xml.vm" comments

Comment 7 John Dennis 2011-01-20 20:49:38 UTC
Comment on attachment 474531 [details]
proposed fix for "xml.vm" comments

Good, you got the other file now too. And it's great you moved the XML declaration to the top. But the XML declaration should be using utf-8 as the encoding not latin-1, I realize this was probably how the file was previously but we might as well fix these things as we encounter them. If you just change the encoding I think it will be fine.

Comment 8 Matthew Harmsen 2011-01-20 22:46:06 UTC
NOTE:  In the SVN Repository, "pki/ipa/common-ui/shared" is an EXTERNAL PROPERTY
       of "pki/dogtag/common-ui/shared", and as such, changes are not allowed to
       be made to this file.  Rather, the change was checked into
       "pki/dogtag/common-ui/shared/admin/console/config/xml.vm", and
       "svn update pki/ipa/common-ui" was performed on this directory to apply
       this update to this IPA component.

Changed XML declaration in attachment from:

    <?xml version="1.0" encoding="ISO-8859-1"?>

to:

    <?xml version='1.0' encoding='utf-8'?>


TIP:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       dogtag/common-ui/shared/admin/console/config/xml.vm

# svn commit
Sending        dogtag/common-ui/shared/admin/console/config/xml.vm
Transmitting file data .
Committed revision 1759.

Comment 10 Matthew Harmsen 2011-01-20 23:55:07 UTC
I checked in the fix before I noticed that the review was set to "-".

If the changes that I documented in Comment #8 adequately address your comments in Comment #7, could you please set the code review flag to "+" so that I can move this bug to MODIFIED?

Comment 12 Namita Soman 2011-04-08 15:46:06 UTC
verified, and was able to install successfully on rhel61 using command:
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname=rhel61-server5.testrelm -r TESTRELM -n testrelm  -p Secret123 -P Secret123 -a Secret123 -U

version:
ipa-server-2.0.0-20.el6.x86_64

Comment 13 errata-xmlrpc 2011-05-19 13:44:21 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html


Note You need to log in before you can comment on or make changes to this bug.