Bug 874806 - authconfig cannot download CA certificate during install
Summary: authconfig cannot download CA certificate during install
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Samantha N. Bueno
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-11-08 21:00 UTC by Orion Poplawski
Modified: 2015-08-27 15:07 UTC (History)
9 users (show)

Fixed In Version: 22.20.8-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-08-27 15:07:55 UTC

Attachments (Terms of Use)
anaconda.program.log (31.17 KB, text/plain)
2012-11-09 16:04 UTC, Orion Poplawski
no flags Details
Another anaconda.program.log (25.43 KB, text/x-log)
2012-11-27 21:42 UTC, Joonas Sarajärvi
no flags Details

Description Orion Poplawski 2012-11-08 21:00:08 UTC
Description of problem:

00:13:53,481 INFO program: Running... /usr/sbin/authconfig --update --nostart --enablemd5 --enableshadow --enableldap --ldapserver=ldap.cora.nwra.com,ldap2.cora.nwra.com --ldapbasedn=dc=nwra,dc=com --enableldaptls --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl --enablekrb5 --krb5kdc=kerberos.cora.nwra.com,kerberos2.cora.nwra.com --krb5adminserver=kerberos.cora.nwra.com --krb5realm=CORA.NWRA.COM
00:13:57,251 ERR program: authconfig: Error downloading CA certificate

But this works just fine when run on the installed system.

Version-Release number of selected component (if applicable):

How reproducible:
Two different systems so far

Comment 1 Chris Lumens 2012-11-08 23:55:51 UTC
Is there anything more in /tmp/program.log?

Comment 2 Orion Poplawski 2012-11-09 00:05:07 UTC
Just what I posted above (which was from /var/log/anaconda/anaconda.program.log, which I believe is the same?).

Comment 3 Chris Lumens 2012-11-09 15:07:58 UTC
Yeah, /tmp during installation and /var/log/anaconda after installation.

What else is going on with your kickstart install?  What's your installation method, and what's your network config?  Can you run the same command from the command line at the end of installation?

Comment 4 Orion Poplawski 2012-11-09 16:04:35 UTC
Created attachment 641634 [details]

Here's the full program log.  Some more kickstart stuff:

url --url=http://fedstage.cora.nwra.com/18-Beta-TC7/Fedora/x86_64/os
repo --name=rpmfusion-nonfree-development-18-x86_64 --baseurl=http://rpmfusion.cora.nwra.com/nonfree/fedora/development/18/x86_64/os 
repo --name=rpmfusion-free-development-18-x86_64 --baseurl=http://rpmfusion.cora.nwra.com/free/fedora/development/18/x86_64/os 
repo --name=fedora-18-updates-x86_64 --baseurl=http://fedora.cora.nwra.com/updates/18/x86_64 
repo --name=fedora-18-updates-testing-x86_64 --baseurl=http://fedora.cora.nwra.com/updates/testing/18/x86_64 
repo --name=fedora-18-devel-x86_64 --baseurl=http://fedora.cora.nwra.com/development/18/x86_64/os 
repo --name=cora-f18-x86_64 --baseurl=http://corpms.cora.nwra.com/fedora/18/x86_64 
repo --name=adobe-linux-x86_64 --baseurl=http://adobe.cora.nwra.com/linux/x86_64/ 
repo --name=adobe-linux-i386 --baseurl=http://adobe.cora.nwra.com/linux/i386/ 
firewall --disabled
firstboot --disable
selinux --enforcing
authconfig --enablemd5 --enableshadow --enableldap --ldapserver=ldap.cora.nwra.com,ldap2.cora.nwra.com --ldapbasedn=dc=nwra,dc=com --enableldaptls --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl --enablekrb5 --krb5kdc=kerberos.cora.nwra.com,kerberos2.cora.nwra.com --krb5adminserver=kerberos.cora.nwra.com --krb5realm=CORA.NWRA.COM
timezone --utc America/Denver

Network is configured via cobbler for dhcp.

I can run the command fine from the command line after install.  Haven't tried in %post.

Comment 5 Orion Poplawski 2012-11-09 17:52:10 UTC
authconfig appears to run fine in %post, so there must be something different about how anaconda runs it.

Comment 6 Chris Lumens 2012-11-12 04:57:34 UTC
Was your post script --chroot or not?  Sorry I'm not more helpful on this.  I don't really know anything about the authconfig options in question.

Comment 7 Orion Poplawski 2012-11-12 16:13:28 UTC
The post script is run in the chroot.  The authconfig code seems to just download using urllib2 to /etc/openldap/cacerts, not sure what could be going wrong.

Comment 8 Joonas Sarajärvi 2012-11-27 21:38:44 UTC
I can reproduce this with a bit smaller authconfig line;

authconfig --enableldap --enableldapauth --ldapserver=ldaps://infosto.koti/ --ldapbasedn=dc=koti --ldaploadcacert=http://www.koti/ca.koti.cert.pem --enablemkhomedir

I have not tried if it would work in a %post script, but at least the same line appended with a --updateall works just fine when I run it in the installed system after installation.

Comment 9 Joonas Sarajärvi 2012-11-27 21:42:32 UTC
Created attachment 653140 [details]
Another anaconda.program.log

Comment 10 Peter Glassenbury 2012-12-11 21:46:51 UTC
This has been quiet for a while. I have just caught up with this in the 18-Beta release. Is this older than Rawhide releases? I can add a slight comment. All the other settings in the authconfig line seem to get set. (they show up pre-set when system-config-authentication is run)

Comment 11 Orion Poplawski 2013-01-14 19:30:39 UTC
Still present in Fedora 18 RC4 (aka final) alas.  Work around is to run:

/usr/sbin/authconfig --update --nostart --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl

in %post.

Comment 12 Orion Poplawski 2013-05-21 16:21:59 UTC
Still present in Fedora 19 Beta RC2 (19.28-1).

Comment 13 Orion Poplawski 2013-05-21 21:41:41 UTC
I created an updates.img that ran authconfig via strace and I see:

21:29:40,318 INFO program: open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

So, why is there no /etc/resolv.conf at this point in the install?

Comment 14 Orion Poplawski 2013-05-21 22:02:29 UTC
"auth" command getting run before "network" command?

Comment 15 Radek Vykydal 2013-05-22 09:43:04 UTC
Yes, /etc/resolv.conf is copied to installation root (ksdata.network.execute()) after authconfig is run (ksdata.authconfig.execute()).

Comment 16 Fedora End Of Life 2013-12-21 09:19:45 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 17 Orion Poplawski 2013-12-24 03:53:17 UTC
Still a problem in Fedora 20, so moving to rawhide/tracking.  It would be nice to have this fixed some day.

Comment 18 Samuel Sieb 2015-02-24 02:34:33 UTC
I've run into this using kickstarts that register with freeipa in the post-install.  I worked around it by manually setting up resolv.conf in the script, but having it setup properly would be really nice.

Comment 19 Joonas Sarajärvi 2015-08-23 10:46:31 UTC
I can't seem to reproduce this issue anymore in F22.

Comment 20 Orion Poplawski 2015-08-27 15:07:55 UTC
Indeed.  Thanks for checking.

Note You need to log in before you can comment on or make changes to this bug.