751597 – ipa-server-install --hostname fails at step configuring certificate server instance

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 751597 - ipa-server-install --hostname fails at step configuring certificate server instance

Summary: ipa-server-install --hostname fails at step configuring certificate server in...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-11-06 03:51 UTC by Namita Soman
Modified:	2012-06-20 13:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: When IPA server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user and a host record is added to /etc/hosts so that the custom hostname is resolvable and the installation can continue. However, the record is not added when the IP address is passed as an option (--ip-address). Consequence: Installation fails because subsequent steps cannot resolve the machine IP address. Fix: Host record in /etc/hosts is now added even when IP address is passed via CLI option --ip-address. Result: Installation with a nonresolvable hostname now succeeds with no regards to how the IP address is passed to the installer (interactively or via CLI option).
Clone Of:
Environment:
Last Closed:	2012-06-20 13:16:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Namita Soman 2011-11-06 03:51:42 UTC

Description of problem:
I start with machine, whose hostname is ipa-replica.testrelm, with ip 10.16.19.135
# ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.19.135

This fails with:
  [3/17]: configuring certificate server instance
CRITICAL:root:failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
root        : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipaserver.testrelm' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-Ychuf6' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'AIYjmiNBjk4DZ4G18R6C' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=TESTRELM' '-ldap_host' 'ipaserver.testrelm' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=TESTRELM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=TESTRELM' '-ca_server_cert_subject_name' 'CN=ipaserver.testrelm,O=TESTRELM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=TESTRELM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=TESTRELM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
 Configuration of CA failed


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-8.el6.x86_64
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.use ipa-server-install with a different hostname than the current hostname
as indicated above

  
Actual results:
error as indicated above

Expected results:
install to be successful

Additional info:

Env before install:
# hostname
ipa-replica.testrelm

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#10.16.19.135  ipa-replica.testrelm ipa-replica

# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ipa-replica.testrelm

# cat /etc/resolv.conf 
# Generated by NetworkManager
domain bos.redhat.com
search bos.redhat.com redhat.com testrelm
nameserver 10.16.255.2
nameserver 10.16.255.3
nameserver 10.11.255.155


Env after install:
# hostname
ipaserver.testrelm

# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ipaserver.testrelm

Comment 2 Martin Kosek 2011-11-07 16:39:43 UTC

There are 2 ways how to workaround this:

1) Pass IP address interactively (omit --ip-address option in CLI call)

2) Add host record to /etc/hosts in a proper format before you install:
$IP_ADDRESS $HOSTNAME $SHORT_NAME

where $IP_ADDRESS is the value you pass to --ip-address, $HOSTNAME is the value you pass to --hostname and $SHORT_NAME is first part of the $HOSTNAME.

For example, if you install IPA this way:
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname
ipaserver.testrelm -r TESTRELM -n testrelm -p Secret123 -P Secret123 -a
Secret123 --ip-address 10.16.19.135

and add this record to /etc/hosts:
10.16.19.135 ipaserver.testrelm ipaserver

before you run ipa-server-install, the installation should be OK.

Comment 5 Martin Kosek 2011-11-07 16:42:39 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2074

Comment 6 Rob Crittenden 2011-11-11 19:05:57 UTC

Fixed upstream.

master: 0165a03694db76462b62ca06cdc2b3f88312a154

Comment 8 Namita Soman 2012-04-02 14:48:51 UTC

Using:
ipa-server-2.2.0-7.el6.x86_64

# hostname
margo.testrelm.com
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=margo.testrelm.com
# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.16.96.50 margo.testrelm.com margo
# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search idm.lab.bos.redhat.com
nameserver 10.16.78.150

Installed using command:
# ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com -r TESTRELM.COM -n testrelm -p Secret123 -P Secret123 -a Secret123 --ip-address 10.16.96.50

Failed with:
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com' returned non-zero exit status 1

/var/log/ipaserver-install.log has:
2012-04-02T14:39:16Z DEBUG Changing admin password
2012-04-02T14:39:16Z DEBUG args=/usr/bin/ldappasswd -h ipaserver.testrelm.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpjjJRzL -T /var/lib/ipa/tmp_K_Zxx uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
2012-04-02T14:39:16Z DEBUG stdout=
2012-04-02T14:39:16Z DEBUG stderr=
2012-04-02T14:39:16Z DEBUG ldappasswd done
2012-04-02T14:39:18Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm --server ipaserver.testrelm.com --realm TESTRELM.COM --hostname ipaserver.testrelm.com
2012-04-02T14:39:18Z DEBUG stdout=^[[?1034hDiscovery was successful!
Hostname: ipaserver.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm
IPA Server: ipaserver.testrelm.com
BaseDN: dc=testrelm,dc=com


Configured /etc/sssd/sssd.conf

2012-04-02T14:39:18Z DEBUG stderr=DNS domain 'testrelm.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1534, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1521, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1358, in install
    api.Backend.xmlclient.connect()
  File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in create_connection
    raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: Service u'HTTP' not found in Kerberos database/



After install:
# hostname
ipaserver.testrelm.com

Comment 9 Martin Kosek 2012-04-02 15:27:11 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2602

Comment 10 Rob Crittenden 2012-04-02 15:39:08 UTC

I'm glad Martin opened a new ticket, this seems to be a different issue.

In this case you set the DNS for testrelm and set server name to testrelm.com. No wonder it isn't resolvable.

Comment 11 Namita Soman 2012-04-02 17:01:52 UTC

Yes - my mistake. I missed passing testrelm.com for domain name. I retried the install with correct paremeters as in - 
ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname ipaserver.testrelm.com --ip-address 10.16.96.50

And was able to install on a machine where hostname before install was margo.testrelm.com

Comment 12 Namita Soman 2012-04-02 17:35:55 UTC

Verified this bug using ipa-server-2.2.0-7.el6.x86_64
Opened new bug 809190 for the error installer ran into when domain name is not resolvable.

Comment 13 Martin Kosek 2012-04-03 07:45:32 UTC

Ok, thanks. I will link the upstream ticket to the new Bugzilla.

Comment 14 Martin Kosek 2012-04-19 11:53:50 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When IPA server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user and a host record is added to /etc/hosts so that the custom hostname is resolvable and the installation can continue. However, the record is not added when the IP address is passed as an option (--ip-address).
Consequence: Installation fails because subsequent steps cannot resolve the machine IP address.
Fix: Host record in /etc/hosts is now added even when IP address is passed via CLI option --ip-address.
Result: Installation with a nonresolvable hostname now succeeds with no regards to how the IP address is passed to the installer (interactively or via CLI option).

Comment 16 errata-xmlrpc 2012-06-20 13:16:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.