Created attachment 614879 [details] Full log On a Fedora 17 with update-testing enabled, running ipa-server-install like so ipa-server-install --setup-dns -r FI.LAN -n fi.lan -a test1234 -p test1234 results in the output shown further down. Full log is attached. Packages: freeipa-server-2.2.0-1.fc17.x86_64 pki-native-tools-9.0.23-1.fc17.x86_64 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [fi.lan]: Warning: skipping DNS resolution of host fi.lan The server hostname resolves to more than one address: fe80::5054:ff:fe63:6fc2%eth0 192.168.100.30 Please provide the IP address to be used for this host name: 192.168.100.30 Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to configure the reverse zone? [yes]: yes Please specify the reverse zone name [100.168.192.in-addr.arpa.]: Using reverse zone 100.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: fi.lan IP address: 192.168.100.30 Domain name: fi.lan Realm name: FI.LAN BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 100.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance [4/18]: disabling nonces [5/18]: creating CA agent PKCS#12 file in /root [6/18]: creating RA agent certificate database [7/18]: importing CA chain to RA certificate database [8/18]: fixing RA database permissions [9/18]: setting up signing cert profile [10/18]: set up CRL publishing [11/18]: set certificate subject base [12/18]: enabling Subject Key Identifier [13/18]: configuring certificate server to start on boot [14/18]: restarting certificate server [15/18]: requesting RA certificate from CA [16/18]: issuing RA agent certificate Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-56Kk3t -r /ca/agent/ca/profileReview?requestId=7 fi.lan:9443' returned non-zero exit status 6
Created attachment 614881 [details] Content of /var/log/pki-ca
In the past this error has suggested a DNS issue. Since you're configuring DNS with IPA we have a bit of a chicken and egg problem. What does /etc/hosts look like? Does it have both the IPv4 and IPv6 address in it?
I have rerun ipa-server-install without --setup-dns, and the result is the same. # cat /etc/hosts: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 Thus, fi.lan is not in there. Still, it can be resolved by ping and wget, but not by sslget. # ping -c 1 fi.lan PING fi.lan (192.168.100.30) 56(84) bytes of data. 64 bytes from fi.lan (192.168.100.30): icmp_req=1 ttl=64 time=0.066 ms There is this line in /etc/nsswitch.conf: # grep ^hosts /etc/nsswitch.conf hosts: files dns myhostname The "myhostname" entry is responsible for resolving fi.lan to 192.168.100.30, as I have learned just now. Adding fi.lan to /etc/hosts doesn't help, sslget still fails: # grep fi /etc/hosts 192.168.100.30: fi fi.lan # /usr/bin/sslget -v -n ipa-ca-agent -p $password -d /tmp/tmp-xZ2bD4 -r /ca/agent/ca/profileReview?requestId=7 fi.lan:9443 >/dev/null GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 port: 9443 addr='fi.lan' family='10' exit after PR_Connect with error -5987: Using the IP address directly makes sslget work: # /usr/bin/sslget -v -n ipa-ca-agent -p $password -d /tmp/tmp-xZ2bD4 -r /ca/agent/ca/profileReview?requestId=7 192.168.100.30:9443 >/dev/null GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 port: 9443 addr='192.168.100.30' family='2' Called mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata - cert = 1ded5b0 mygetclientauthdata - privkey = 1e30770 PR_Write wrote 55 bytes from bigBuf bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0 ] do_writes shutting down send socket do_writes exiting with (failure = 0) connection 1 read 9000 bytes (9000 total). these bytes read: connection 1 read 9000 bytes (18000 total). these bytes read: connection 1 read 9000 bytes (27000 total). these bytes read: connection 1 read 3364 bytes (30364 total). these bytes read: connection 1 read 30364 bytes total. ----------------------------- Thus, sslget doesn't seem to use nsswitch for resolving hostnames. That seems to be the bug here.
Re-assigning package to dogtag, it provides sslget.
The same issue is reproduced again in bug 953464 in Fedora 19. We need to get this fixed.
Upstream ticket: https://fedorahosted.org/pki/ticket/587
The following links may be beneficial: * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs) * https://bugzilla.mozilla.org/query.cgi (NSPR bugs) * http://mxr.mozilla.org/nspr/ (online NSPR src viewer) * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf myhostname) In looking at the Description of Bugzilla Bug #859043, the error code returned by 'sslget' is 6 which corresponds to this call: prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed the following: The '/etc/hosts' was re-configured to look like this: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.100.30: fi fi.lan In the documented failure case, it was noticed that family=10 (which appears to be PR_AF_INET6 which is associated with IPv6 addresses), even though the IP address (192.168.100.30) as placed into the /etc/hosts file is an IPv4 address. The error returned appears to be this one documented in '/usr/include/nspr4/prerr.h': /* Invalid function argument */ #define PR_INVALID_ARGUMENT_ERROR (-5987L) The only parameter in PR_Connect() that appears to be questionable is the 'addr' passed-in as the second argument, especially as it appears to have a mis-match between the IPv4 address and the IPv6 family. It would be helpful to know the output of 'ifconfig' and the contents of the following files: * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname') * /etc/hosts (if different from above) * /etc/resolv.conf * /etc/networks * /etc/sysconfig/network * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by 'ifconfig'> In the meantime, we will try to replicate this condition on one of our local machines.
(In reply to comment #7) > The following links may be beneficial: > > * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs) > * https://bugzilla.mozilla.org/query.cgi (NSPR bugs) > * http://mxr.mozilla.org/nspr/ (online NSPR src viewer) > * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf > myhostname) > > In looking at the Description of Bugzilla Bug #859043, the error code > returned by 'sslget' is 6 which corresponds to this call: > > prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); > > In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed > the following: > > The '/etc/hosts' was re-configured to look like this: > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.100.30: fi fi.lan > In the documented failure case, it was noticed that family=10 (which > appears > to be PR_AF_INET6 which is associated with IPv6 addresses), even though > the IP address (192.168.100.30) as placed into the /etc/hosts file is an > IPv4 > address. > > The error returned appears to be this one documented in > '/usr/include/nspr4/prerr.h': > > /* Invalid function argument */ > #define PR_INVALID_ARGUMENT_ERROR (-5987L) > > The only parameter in PR_Connect() that appears to be questionable is the > 'addr' > passed-in as the second argument, especially as it appears to have a > mis-match > between the IPv4 address and the IPv6 family. > > It would be helpful to know the output of 'ifconfig' and the contents of > the > following files: > > * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname') > * /etc/hosts (if different from above) * /etc/hostname > * /etc/resolv.conf > * /etc/networks > * /etc/sysconfig/network > * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by > 'ifconfig'> > > In the meantime, we will try to replicate this condition on one of our > local machines.
> It would be helpful to know the output of 'ifconfig' and the contents of > the > following files: I think this should be investigated on the Fedora 19 box where Alexander has seen the issue. The virtual machine where I have first seen this doesn't exist anymore. If I see this issue again, I'll provide the requested information.
Created attachment 740185 [details] Fix sslget to skip link local addresses
(In reply to comment #10) > Created attachment 740185 [details] > Fix sslget to skip link local addresses ACKed patch was committed to pki master: * commit 7ca438db07efb122bc93efd0471be7a2be34b663
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.