826973 – ipa-server-install does not fill the default value for --subject option and it crashes later.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 826973 - ipa-server-install does not fill the default value for --subject option and it crashes later.

Summary: ipa-server-install does not fill the default value for --subject option and i...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Prpič
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	827321
TreeView+	depends on / blocked

Reported:	2012-05-31 10:46 UTC by Gowrishankar Rajaiyan
Modified:	2012-06-01 09:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
Clone Of:
Clones:	827321 (view as bug list)
Environment:
Last Closed:	2012-06-01 06:39:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Gowrishankar Rajaiyan 2012-05-31 10:46:11 UTC

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM -P Secret123
  

Actual results:
[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM 

The log file for this installation can be found in /var/log/ipaserver-install.log
Unexpected error - see ipaserver-install.log for details:
 must be str,unicode,tuple, or RDN, got NoneType instead
[root@qe-blade-06 ipa-external-ca]# 


Expected results: Installation should be successful.


Additional info:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 30, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': '/root/ipa-ca/ipacacert.asc', 'no_host_dns': False, 'http_pkcs12': None, 'forwarders': None, 'idstart': 1463800000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': '/root/ipa-ca/ipa.crt', 'uninstall': False}
2012-05-31T09:36:04Z DEBUG missing options might be asked for interactively later

2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG must be str,unicode,tuple, or RDN, got NoneType instead
  File "/usr/sbin/ipa-server-install", line 1091, in <module>
    rval = main()

  File "/usr/sbin/ipa-server-install", line 607, in main
    wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject))

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1064, in __init__
    self.rdns = self._rdns_from_sequence(args)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1106, in _rdns_from_sequence
    rdn = self._rdn_from_value(item)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1100, in _rdn_from_value
    value.__class__.__name__)

2012-05-31T09:36:04Z DEBUG Restoring system configuration file '/etc/hosts'
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#



#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
Work-around is to pass --subject "O=TESTRELM.COM" to command in step 1.

[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM  --subject "O=TESTRELM.COM"

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Warning: Hostname (qe-blade-06.testrelm.com) not found in DNS
The domain name has been calculated based on the host name.


The IPA Master Server will be configured with:
...
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

Comment 5 Dmitri Pal 2012-05-31 16:46:41 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2794

Comment 6 Martin Kosek 2012-06-01 06:39:23 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
Consequence: Second stage of the installation always fails unless --subject option is filled.
Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
Result: Certificate subject validation procedure succeeds and the installation continues.

Comment 7 Martin Prpič 2012-06-01 09:41:48 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
+When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.-Consequence: Second stage of the installation always fails unless --subject option is filled.
-Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
-Result: Certificate subject validation procedure succeeds and the installation continues.

Note You need to log in before you can comment on or make changes to this bug.