Hide Forgot
Description of problem: searched for existing reports in ipa user and devel list, in trac and bz, could not locate similar issues, may be this is a dup: ipa-server-install fails on pkisilent with an "Unexpected error" in step 4/16 for the CA it seem like there may be some missing \r\n for the base 64 blobs header and footer in certificates for -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- may be in /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py error in /var/log/ipaserver-install.log ... 2011-01-19 20:35:29,563 INFO stderr=[Fatal Error] :1:8: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) at ParseXML.parse(ParseXML.java:43) at ConfigureCA.LoginPanel(ConfigureCA.java:235) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1199) at ConfigureCA.main(ConfigureCA.java:1746) [Fatal Error] :1:8: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments. I added a ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat6/lib/xalan-j2-serializer.jar but this did not change anything. Version-Release number of selected component (if applicable): Fedora release 14 (Laughlin) Linux ipaserver1.example.com 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux ipa-admintools-2.0-0.2011011909git902bd90.fc14.x86_64 ipa-pki-common-theme-9.0.1-1.20110119T2054z.fc14.noarch ipa-pki-ca-theme-9.0.1-1.20110119T2054z.fc14.noarch ipa-client-2.0-0.2011011909git902bd90.fc14.x86_64 ipa-server-2.0-0.2011011909git902bd90.fc14.x86_64 ipa-python-2.0-0.2011011909git902bd90.fc14.x86_64 ipa-server-selinux-2.0-0.2011011909git902bd90.fc14.x86_64 alternatives --config java *+ 1 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java How reproducible: always Steps to Reproduce: 1. get a system with F14 2. add repo http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo 3. enable fedora-updates-testing.repo 4. add some utils yum install -y ntpdate bind-utils rsync openssh-clients openldap-clients wget tigervnc-server lsof xterm twm xorg-x11-fonts-Type1 java-1.6.0-openjdk-devel firefox yum install -y dbus subversion vim screen 5. yum update 6. reboot 7. yum install ipa-server bind caching-nameserver 8. ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton Actual results: ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver1.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipaserver1.example.com]: The IPA Master Server will be configured with Hostname: ipaserver1.example.com IP address: 10.14.5.16 Domain name: example.com The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The set up procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipaserver1.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Et7DLU -client_certdb_pwd 'XXXXXXXX' -preop_pin qdpOMgnf18GByOcik8p3 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_XXXXXXXX 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=EXAMPLE.COM" -ldap_host ipaserver1.example.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_XXXXXXXX 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=EXAMPLE.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=EXAMPLE.COM" -ca_server_cert_subject_name "CN=ipaserver1.example.com,O=EXAMPLE.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=EXAMPLE.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=EXAMPLE.COM" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed [root@ipaserver1 ~]# Expected results: Additional info: first visible error in /var/log/ipaserver-install.log ... Posting Query = https://ipaserver1.example.com:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Thu, 20 Jan 2011 04:34:15 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ertificate Chain</Name></Panel><Panel><Id>restorekeys</Id><Name>Import Keys and Certificates</Name></Panel><Panel><Id>cahierarchy</Id><Name>PKI Hierarchy</Name></Panel><Panel><Id>database</Id><Name>Internal Database</Name></Panel><Panel><Id>size</Id><Name>Key Pairs</Name></Panel><Panel><Id>subjectname</Id><Name>Subject Names</Name></Panel><Panel><Id>certrequest</Id><Name>Requests and Certificates</Name></Panel><Panel><Id>backupkeys</Id><Name>Export Keys and Certificates</Name></Panel><Panel><Id>savepk12</Id><Name>Save Keys and Certificates</Name></Panel><Panel><Id>importcachain</Id><Name>Import CA's Certificate Chain</Name></Panel><Panel><Id>admin</Id><Name>Administrator</Name></Panel><Panel><Id>importadmincert</Id><Name>Import Administrator's Certificate</Name></Panel><Panel><Id>done</Id><Name>Done</Name></Panel></Vector></panels><p>1</p><name>CA Setup Wizard</name><oms><Vector></Vector></oms><defTok>Internal Key Storage Token</defTok><req></req><panelname>module</panelname> </response> and toward the last entries: ERROR: Tag=CertReqPair has no values ERROR: Tag=CertReqPair has no values ERROR: Tag=CertReqPair has no values req_list_size=0 cert_list_size=0 dn_list_size=0 ca_cert_name=CN=Certificate\ Authority,O=EXAMPLE.COM ocsp_cert_name=CN=OCSP\ Subsystem,O=EXAMPLE.COM ca_subsystem_cert_name=CN=CA\ Subsystem,O=EXAMPLE.COM server_cert_name=CN=ipaserver1.example.com,O=EXAMPLE.COM audit_signing_cert_name=CN=CA\ Audit,O=EXAMPLE.COM ca_cert_req=null ocsp_cert_req=null ca_subsystem_cert_req=null server_cert_req=null ca_audit_siging_cert_req=null ca_cert_cert=null ocsp_cert_cert=null ca_subsystem_cert_cert=null server_cert_cert=null ca_audit_signing_cert_cert=null Sleeping for 5 secs.. Exception in CertificatePanel(): java.lang.NullPointerException ERROR: ConfigureCA: CertificatePanel() failure ERROR: unable to create CA ####################################################################### 2011-01-19 20:35:29,563 INFO stderr=[Fatal Error] :1:8: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) at ParseXML.parse(ParseXML.java:43) at ConfigureCA.LoginPanel(ConfigureCA.java:235) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1199) at ConfigureCA.main(ConfigureCA.java:1746) [Fatal Error] :1:8: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 8; The string "--" is not permitted within comments. grep "\-\-" /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name] """sd = security domain --> all CS systems get registered to print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" out = out.replace('-----BEGIN CERTIFICATE-----', '') out = out.replace('-----END CERTIFICATE-----', '') self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','') self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','') st = certs.find('-----BEGIN', en) en = certs.find('-----END', en+1) "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
looks like this SVN checkin is the culprit r1738 | mharmsen | 2011-01-17 14:59:20 -0500 (Mon, 17 Jan 2011) | 2 lines dogtag/common-ui/shared/admin/console/config/xml.vm These two strings are not valid for XML comments --- BEGIN COPYRIGHT BLOCK --- --- END COPYRIGHT BLOCK --- XML comments must not contain the string "--" anywhere in the comment. When the XML parser tries to read this file it throws an exception because of invalid XML syntax. In other XML copyright blocks I've done recently I've just used: BEGIN COPYRIGHT BLOCK END COPYRIGHT BLOCK I see some other XML files do this: ### BEGIN COPYRIGHT BLOCK ### ### END COPYRIGHT BLOCK ### Not sure if one is preferred over the other, also not sure if the above config file is the only example with the bad syntax or not.
Marc: FYI: > I added a > ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat6/lib/xalan-j2-serializer.jar > but this did not change anything. After the tomcat6 port we no longer modify anything in the tomcat installation, things like this are now legacy. The jars are exclusively set up in the tomcat *instance* area, e.g. /var/lib/pki-ca/common/lib/ /var/lib/pki-ca/webapps/ca/WEB-INF/lib If this had been a problem with a missing jar then the error would have been a ClassDefNotFound exception and the solution would have been to add a symbolic link to the missing jar in one of the two above instance directories.
understood, it was one of the various things i tried, in doubt. but thx for clarifying and providing more explanations!
Created attachment 474527 [details] proposed fix for "xml.vm" diffs
Created attachment 474531 [details] proposed fix for "xml.vm" comments
Comment on attachment 474531 [details] proposed fix for "xml.vm" comments Good, you got the other file now too. And it's great you moved the XML declaration to the top. But the XML declaration should be using utf-8 as the encoding not latin-1, I realize this was probably how the file was previously but we might as well fix these things as we encounter them. If you just change the encoding I think it will be fine.
NOTE: In the SVN Repository, "pki/ipa/common-ui/shared" is an EXTERNAL PROPERTY of "pki/dogtag/common-ui/shared", and as such, changes are not allowed to be made to this file. Rather, the change was checked into "pki/dogtag/common-ui/shared/admin/console/config/xml.vm", and "svn update pki/ipa/common-ui" was performed on this directory to apply this update to this IPA component. Changed XML declaration in attachment from: <?xml version="1.0" encoding="ISO-8859-1"?> to: <?xml version='1.0' encoding='utf-8'?> TIP: # cd pki # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M dogtag/common-ui/shared/admin/console/config/xml.vm # svn commit Sending dogtag/common-ui/shared/admin/console/config/xml.vm Transmitting file data . Committed revision 1759.
I checked in the fix before I noticed that the review was set to "-". If the changes that I documented in Comment #8 adequately address your comments in Comment #7, could you please set the code review flag to "+" so that I can move this bug to MODIFIED?
verified, and was able to install successfully on rhel61 using command: ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname=rhel61-server5.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 -U version: ipa-server-2.0.0-20.el6.x86_64
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0631.html