This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 859043 - ipa-server-install results in error -5987
ipa-server-install results in error -5987
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: dogtag-pki (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Matthew Harmsen
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 953464
  Show dependency treegraph
 
Reported: 2012-09-20 08:53 EDT by Marius Vollmer
Modified: 2015-02-18 06:08 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-18 06:08:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Full log (155.25 KB, text/x-log)
2012-09-20 08:53 EDT, Marius Vollmer
no flags Details
Content of /var/log/pki-ca (42.84 KB, application/x-gzip)
2012-09-20 08:57 EDT, Marius Vollmer
no flags Details
Fix sslget to skip link local addresses (5.61 KB, patch)
2013-04-25 23:13 EDT, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Marius Vollmer 2012-09-20 08:53:06 EDT
Created attachment 614879 [details]
Full log

On a Fedora 17 with update-testing enabled, running ipa-server-install like so

 ipa-server-install --setup-dns -r FI.LAN -n fi.lan -a test1234 -p test1234

results in the output shown further down.  Full log is attached.

Packages:

freeipa-server-2.2.0-1.fc17.x86_64
pki-native-tools-9.0.23-1.fc17.x86_64

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [fi.lan]: 

Warning: skipping DNS resolution of host fi.lan
The server hostname resolves to more than one address:
  fe80::5054:ff:fe63:6fc2%eth0
  192.168.100.30
Please provide the IP address to be used for this host name: 192.168.100.30
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to configure the reverse zone? [yes]: yes
Please specify the reverse zone name [100.168.192.in-addr.arpa.]: 
Using reverse zone 100.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      fi.lan
IP address:    192.168.100.30
Domain name:   fi.lan
Realm name:    FI.LAN

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  100.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/18]: creating certificate server user
  [2/18]: creating pki-ca instance
  [3/18]: configuring certificate server instance
  [4/18]: disabling nonces
  [5/18]: creating CA agent PKCS#12 file in /root
  [6/18]: creating RA agent certificate database
  [7/18]: importing CA chain to RA certificate database
  [8/18]: fixing RA database permissions
  [9/18]: setting up signing cert profile
  [10/18]: set up CRL publishing
  [11/18]: set certificate subject base
  [12/18]: enabling Subject Key Identifier
  [13/18]: configuring certificate server to start on boot
  [14/18]: restarting certificate server
  [15/18]: requesting RA certificate from CA
  [16/18]: issuing RA agent certificate
Unexpected error - see ipaserver-install.log for details:
 Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-56Kk3t -r /ca/agent/ca/profileReview?requestId=7 fi.lan:9443' returned non-zero exit status 6
Comment 1 Marius Vollmer 2012-09-20 08:57:13 EDT
Created attachment 614881 [details]
Content of /var/log/pki-ca
Comment 2 Rob Crittenden 2012-09-20 10:21:24 EDT
In the past this error has suggested a DNS issue. Since you're configuring DNS with IPA we have a bit of a chicken and egg problem.

What does /etc/hosts look like? Does it have both the IPv4 and IPv6 address in it?
Comment 3 Marius Vollmer 2012-09-21 05:16:31 EDT
I have rerun ipa-server-install without --setup-dns, and the result is the same.

# cat /etc/hosts:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Thus, fi.lan is not in there.  Still, it can be resolved by ping and wget, but not by sslget.

# ping -c 1 fi.lan
PING fi.lan (192.168.100.30) 56(84) bytes of data.
64 bytes from fi.lan (192.168.100.30): icmp_req=1 ttl=64 time=0.066 ms

There is this line in /etc/nsswitch.conf:

# grep ^hosts /etc/nsswitch.conf
hosts:      files dns myhostname

The "myhostname" entry is responsible for resolving fi.lan to 192.168.100.30, as I have learned just now.

Adding fi.lan to /etc/hosts doesn't help, sslget still fails:

# grep fi /etc/hosts
192.168.100.30: fi fi.lan
# /usr/bin/sslget -v -n ipa-ca-agent -p $password -d /tmp/tmp-xZ2bD4 -r /ca/agent/ca/profileReview?requestId=7 fi.lan:9443 >/dev/null
GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0

port: 9443
addr='fi.lan'
family='10'
exit after PR_Connect with error -5987:

Using the IP address directly makes sslget work:

# /usr/bin/sslget -v -n ipa-ca-agent -p $password -d /tmp/tmp-xZ2bD4 -r /ca/agent/ca/profileReview?requestId=7 192.168.100.30:9443 >/dev/null
GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0

port: 9443
addr='192.168.100.30'
family='2'
Called mygetclientauthdata - nickname = ipa-ca-agent
   mygetclientauthdata - cert = 1ded5b0
   mygetclientauthdata - privkey = 1e30770
PR_Write wrote 55 bytes from bigBuf
bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0

]
do_writes shutting down send socket
do_writes exiting with (failure = 0)
connection 1 read 9000 bytes (9000 total).
these bytes read:
connection 1 read 9000 bytes (18000 total).
these bytes read:
connection 1 read 9000 bytes (27000 total).
these bytes read:
connection 1 read 3364 bytes (30364 total).
these bytes read:
connection 1 read 30364 bytes total. -----------------------------



Thus, sslget doesn't seem to use nsswitch for resolving hostnames.  That seems to be the bug here.
Comment 4 Rob Crittenden 2012-09-21 08:41:16 EDT
Re-assigning package to dogtag, it provides sslget.
Comment 5 Alexander Bokovoy 2013-04-18 05:26:21 EDT
The same issue is reproduced again in bug 953464 in Fedora 19. We need to get this fixed.
Comment 6 Nathan Kinder 2013-04-18 11:11:01 EDT
Upstream ticket:
https://fedorahosted.org/pki/ticket/587
Comment 7 Matthew Harmsen 2013-04-18 18:37:40 EDT
The following links may be beneficial:

    * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs)
    * https://bugzilla.mozilla.org/query.cgi (NSPR bugs)
    * http://mxr.mozilla.org/nspr/ (online NSPR src viewer)
    * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf myhostname)

In looking at the Description of Bugzilla Bug #859043, the error code
returned by 'sslget' is 6 which corresponds to this call:

   prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3));

In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed the following:

   The '/etc/hosts' was re-configured to look like this:  

        127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
        ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
        192.168.100.30: fi fi.lan
   In the documented failure case, it was noticed that family=10 (which appears
   to be PR_AF_INET6 which is associated with IPv6 addresses), even though
   the IP address (192.168.100.30) as placed into the /etc/hosts file is an IPv4
   address.

   The error returned appears to be this one documented in
   '/usr/include/nspr4/prerr.h':

       /* Invalid function argument */
       #define PR_INVALID_ARGUMENT_ERROR                (-5987L)

   The only parameter in PR_Connect() that appears to be questionable is the 'addr'
   passed-in as the second argument, especially as it appears to have a mis-match
   between the IPv4 address and the IPv6 family.

   It would be helpful to know the output of 'ifconfig' and the contents of the
   following files:

       * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname')
       * /etc/hosts (if different from above)
       * /etc/resolv.conf
       * /etc/networks
       * /etc/sysconfig/network
       * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by 'ifconfig'>

    In the meantime, we will try to replicate this condition on one of our local machines.
Comment 8 Matthew Harmsen 2013-04-18 21:27:20 EDT
(In reply to comment #7)
> The following links may be beneficial:
> 
>     * https://developer.mozilla.org/en-US/docs/NSPR_API_Reference (NSPR docs)
>     * https://bugzilla.mozilla.org/query.cgi (NSPR bugs)
>     * http://mxr.mozilla.org/nspr/ (online NSPR src viewer)
>     * http://0pointer.de/lennart/projects/nss-myhostname/ (nsswitch.conf
> myhostname)
> 
> In looking at the Description of Bugzilla Bug #859043, the error code
> returned by 'sslget' is 6 which corresponds to this call:
> 
>    prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3));
> 
> In looking at the feedback of Bugzilla Bug #859043 in Comment #3, we noticed
> the following:
> 
>    The '/etc/hosts' was re-configured to look like this:  
> 
>         127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
>         ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
>         192.168.100.30: fi fi.lan
>    In the documented failure case, it was noticed that family=10 (which
> appears
>    to be PR_AF_INET6 which is associated with IPv6 addresses), even though
>    the IP address (192.168.100.30) as placed into the /etc/hosts file is an
> IPv4
>    address.
> 
>    The error returned appears to be this one documented in
>    '/usr/include/nspr4/prerr.h':
> 
>        /* Invalid function argument */
>        #define PR_INVALID_ARGUMENT_ERROR                (-5987L)
> 
>    The only parameter in PR_Connect() that appears to be questionable is the
> 'addr'
>    passed-in as the second argument, especially as it appears to have a
> mis-match
>    between the IPv4 address and the IPv6 family.
> 
>    It would be helpful to know the output of 'ifconfig' and the contents of
> the
>    following files:
> 
>        * /etc/nsswitch.conf (if different from 'hosts: files dns myhostname')
>        * /etc/hosts (if different from above)
         * /etc/hostname
>        * /etc/resolv.conf
>        * /etc/networks
>        * /etc/sysconfig/network
>        * /etc/sysconfig/network-scripts/ifcfg-<interfaces output by
> 'ifconfig'>
> 
>     In the meantime, we will try to replicate this condition on one of our
> local machines.
Comment 9 Marius Vollmer 2013-04-19 02:24:15 EDT
>    It would be helpful to know the output of 'ifconfig' and the contents of
> the
>    following files:

I think this should be investigated on the Fedora 19 box where Alexander has seen the issue.  The virtual machine where I have first seen this doesn't exist anymore.

If I see this issue again, I'll provide the requested information.
Comment 10 Matthew Harmsen 2013-04-25 23:13:54 EDT
Created attachment 740185 [details]
Fix sslget to skip link local addresses
Comment 11 Matthew Harmsen 2013-04-25 23:17:14 EDT
(In reply to comment #10)
> Created attachment 740185 [details]
> Fix sslget to skip link local addresses

ACKed patch was committed to pki master:
* commit 7ca438db07efb122bc93efd0471be7a2be34b663
Comment 12 Fedora End Of Life 2015-01-09 17:31:11 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Fedora End Of Life 2015-02-18 06:08:46 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.