Bug 826973 - ipa-server-install does not fill the default value for --subject option and it crashes later.
ipa-server-install does not fill the default value for --subject option and i...
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Prpic
IDM QE LIST
:
Depends On:
Blocks: 827321
  Show dependency treegraph
 
Reported: 2012-05-31 06:46 EDT by Gowrishankar Rajaiyan
Modified: 2012-06-01 05:41 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
Story Points: ---
Clone Of:
: 827321 (view as bug list)
Environment:
Last Closed: 2012-06-01 02:39:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gowrishankar Rajaiyan 2012-05-31 06:46:11 EDT
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM -P Secret123
  

Actual results:
[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM 

The log file for this installation can be found in /var/log/ipaserver-install.log
Unexpected error - see ipaserver-install.log for details:
 must be str,unicode,tuple, or RDN, got NoneType instead
[root@qe-blade-06 ipa-external-ca]# 


Expected results: Installation should be successful.


Additional info:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 30, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': True, 'subject': None, 'no_forwarders': False, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': False, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': '/root/ipa-ca/ipacacert.asc', 'no_host_dns': False, 'http_pkcs12': None, 'forwarders': None, 'idstart': 1463800000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': '/root/ipa-ca/ipa.crt', 'uninstall': False}
2012-05-31T09:36:04Z DEBUG missing options might be asked for interactively later

2012-05-31T09:36:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-05-31T09:36:04Z DEBUG must be str,unicode,tuple, or RDN, got NoneType instead
  File "/usr/sbin/ipa-server-install", line 1091, in <module>
    rval = main()

  File "/usr/sbin/ipa-server-install", line 607, in main
    wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject))

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1064, in __init__
    self.rdns = self._rdns_from_sequence(args)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1106, in _rdns_from_sequence
    rdn = self._rdn_from_value(item)

  File "/usr/lib/python2.6/site-packages/ipalib/dn.py", line 1100, in _rdn_from_value
    value.__class__.__name__)

2012-05-31T09:36:04Z DEBUG Restoring system configuration file '/etc/hosts'
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#



#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
Work-around is to pass --subject "O=TESTRELM.COM" to command in step 1.

[root@qe-blade-06 ipa-external-ca]# /usr/sbin/ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt --external_ca_file=/root/ipa-ca/ipacacert.asc -p Secret123 -U -a Secret123 -r TESTRELM.COM  --subject "O=TESTRELM.COM"

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Warning: Hostname (qe-blade-06.testrelm.com) not found in DNS
The domain name has been calculated based on the host name.


The IPA Master Server will be configured with:
...
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
Comment 5 Dmitri Pal 2012-05-31 12:46:41 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2794
Comment 6 Martin Kosek 2012-06-01 02:39:23 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
Consequence: Second stage of the installation always fails unless --subject option is filled.
Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
Result: Certificate subject validation procedure succeeds and the installation continues.
Comment 7 Martin Prpic 2012-06-01 05:41:48 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled.
+When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.-Consequence: Second stage of the installation always fails unless --subject option is filled.
-Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead.
-Result: Certificate subject validation procedure succeeds and the installation continues.

Note You need to log in before you can comment on or make changes to this bug.