#1407 ipa-replica-install fails to create a valid cert db password
Closed: Fixed None Opened 12 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=717494

When running ipa-replica-install, it will fail at the following step:

Configuring the web interface: Estimated time 1 minute
  [1/11]: disabling mod_ssl in httpd
  [2/11]: setting mod_nss port to 443
  [3/11]: setting mod_nss password file
  [4/11]: adding URL rewriting rules
  [5/11]: configuring httpd
  [6/11]: setting up ssl
  [7/11]: publish CA cert
  [8/11]: creating a keytab for httpd
  [9/11]: configuring SELinux for httpd
  [10/11]: restarting httpd
creation of replica failed: Command '/sbin/service httpd restart ' returned
non-zero exit status 1

Looking in /var/log/httpd/error_log shows:

[Tue Jun 28 14:50:35 2011] [error] Certificate not found: 'Server-Cert'

This seems to be because the password file (/etc/httpd/conf/password.conf) for
the certificate db is empty.

Every time (for my install at least)

Steps to Reproduce:
- ipa-replica-prepare ipareplica.example.com
- scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg
root@ipareplica:/var/lib/ipa/
- ipa-replica-install /var/lib/ipa/replica-info-ipareplica.example.com.gpg

Additional info:

It can be fixed by changing line 300 of ipaserver/install/certs.py from:

    if passwd is not None:

to:

    if passwd is not None and passwd is not "":

This will force create_passwd_file to generate a password if its blank. The
source of the problem could also be create_from_cacert(), since its definition
makes the passwd default to * instead of None like all others.

The attached patch file should apply the fix.


Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1 - 2011/07

7 years ago

Login to comment on this ticket.

Metadata