freeipa

Clone
Source Code
GIT

#2762 ipa-ca-install failing on new 6.3 replica
Closed: Invalid None Opened 11 years ago by rcritten.

Closed: Invalid
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=821112 (Red Hat Enterprise Linux 6)

Description of problem:

ipa-ca-install seems to be consistently failing when running on a freshly setup
RHEL 6.3 replica.  The last time I saw this work was 05/02/2012 and I can
provide a test job for that one.

Version-Release number of selected component (if applicable):

ipa-server-2.2.0-13.el6.x86_64

How reproducible:

Always?

Steps to Reproduce:
1. <setup rhel6.3 ipa master>

ipa-server-install --idstart=3000 --idmax=50000 --setup-dns
--forwarder=192.168.122.1 --hostname=spoore-dvm1.testrelm.com -r TESTRELM.COM
-n testrelm.com -p $ADMINPW -P $ADMINPW -a $ADMINPW -U

2. <setup rhel6.3 ipa replica>

ipa-replica-install -U --setup-dns --forwarder=192.168.122.1 -w $ADMINPW -p
$ADMINPW /dev/shm/replica-info-spoore-dvm2.testrelm.com.gpg

3.  <run ipa-ca-install to setup IPA replica as CA replica also>

ipa-ca-install -p $ADMINPW -w $ADMINPW --skip-conncheck --unattended
/dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

Actual results:

[root@spoore-dvm2 shm]# ipa-ca-install -p $ADMINPW -w $ADMINPW --skip-conncheck
--unattended /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/12]: creating certificate server user
  [2/12]: creating pki-ca instance
  [3/12]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname spoore-dvm2.testrelm.com -cs_port
9445 -client_certdb_dir /tmp/tmp-gOeir6 -client_certdb_pwd XXXXXXXX -preop_pin
D6aDjnsmfEV33aYclHf7 -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host spoore-dvm2.testrelm.com -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM
-ca_server_cert_subject_name CN=spoore-dvm2.testrelm.com,O=TESTRELM.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
-sd_hostname spoore-dvm1.testrelm.com -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri
https://spoore-dvm1.testrelm.com:443' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.



Expected results:

Thses are the good results from 05/02/2012 when a similar test was run:

:: [21:44:46] ::  Executing: ipa-ca-install -p $ADMINPW -w $ADMINPW
--skip-conncheck --unattended
/dev/shm/replica-info-tyan-gt24-01.testrelm.com.gpg
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM:
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [21:44:48] ::  kinit as admin with password $ADMINPW was successful.
:: [   PASS   ] :: Testing kinit as admin

MARK-LWD-LOOP -- 2012-05-02 21:46:25 --
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/12]: creating certificate server user
  [2/12]: creating pki-ca instance
  [3/12]: configuring certificate server instance
  [4/12]: disabling nonces
  [5/12]: importing CA chain to RA certificate database
  [6/12]: fixing RA database permissions
  [7/12]: setting up signing cert profile
  [8/12]: set up CRL publishing
  [9/12]: set certificate subject base
  [10/12]: enabling Subject Key Identifier
  [11/12]: configuring certificate server to start on boot
  [12/12]: Configure HTTP to proxy connections
done configuring pki-cad.
Restarting the directory and certificate servers
:: [   PASS   ] :: CA Replica installation

Additional info:

Will add logs.

From the BZ:

Just as clarification, thisbug was caused by the fix in https://bugzilla.redhat.com/show_bug.cgi?id=819111 , which was needed for dogtag 9, but not for rhel 6.3.

The reason is that code that the fix in 819111 was supposed to address was never ported from dogtag 9 to the ipa-rhel 6.3 branch. This code includes functionality that will not be picked up and used by IPA until - most likely - RHEL 7.

The fix has been reverted. That is - we are using the build prior to this fix. So, based on above verification, I am closing this bug as NOTABUG.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=821112
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.