https://bugzilla.redhat.com/show_bug.cgi?id=821112 (Red Hat Enterprise Linux 6)
Description of problem: ipa-ca-install seems to be consistently failing when running on a freshly setup RHEL 6.3 replica. The last time I saw this work was 05/02/2012 and I can provide a test job for that one. Version-Release number of selected component (if applicable): ipa-server-2.2.0-13.el6.x86_64 How reproducible: Always? Steps to Reproduce: 1. <setup rhel6.3 ipa master> ipa-server-install --idstart=3000 --idmax=50000 --setup-dns --forwarder=192.168.122.1 --hostname=spoore-dvm1.testrelm.com -r TESTRELM.COM -n testrelm.com -p $ADMINPW -P $ADMINPW -a $ADMINPW -U 2. <setup rhel6.3 ipa replica> ipa-replica-install -U --setup-dns --forwarder=192.168.122.1 -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-spoore-dvm2.testrelm.com.gpg 3. <run ipa-ca-install to setup IPA replica as CA replica also> ipa-ca-install -p $ADMINPW -w $ADMINPW --skip-conncheck --unattended /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg Actual results: [root@spoore-dvm2 shm]# ipa-ca-install -p $ADMINPW -w $ADMINPW --skip-conncheck --unattended /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname spoore-dvm2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-gOeir6 -client_certdb_pwd XXXXXXXX -preop_pin D6aDjnsmfEV33aYclHf7 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host spoore-dvm2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM -ca_server_cert_subject_name CN=spoore-dvm2.testrelm.com,O=TESTRELM.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname spoore-dvm1.testrelm.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://spoore-dvm1.testrelm.com:443' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Expected results: Thses are the good results from 05/02/2012 when a similar test was run: :: [21:44:46] :: Executing: ipa-ca-install -p $ADMINPW -w $ADMINPW --skip-conncheck --unattended /dev/shm/replica-info-tyan-gt24-01.testrelm.com.gpg spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin@TESTRELM.COM Password for admin@TESTRELM.COM: Authenticated to Kerberos v5 Default principal: admin@TESTRELM.COM :: [21:44:48] :: kinit as admin with password $ADMINPW was successful. :: [ PASS ] :: Testing kinit as admin MARK-LWD-LOOP -- 2012-05-02 21:46:25 -- Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance [4/12]: disabling nonces [5/12]: importing CA chain to RA certificate database [6/12]: fixing RA database permissions [7/12]: setting up signing cert profile [8/12]: set up CRL publishing [9/12]: set certificate subject base [10/12]: enabling Subject Key Identifier [11/12]: configuring certificate server to start on boot [12/12]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers :: [ PASS ] :: CA Replica installation Additional info: Will add logs.
From the BZ:
Just as clarification, thisbug was caused by the fix in https://bugzilla.redhat.com/show_bug.cgi?id=819111 , which was needed for dogtag 9, but not for rhel 6.3.
The reason is that code that the fix in 819111 was supposed to address was never ported from dogtag 9 to the ipa-rhel 6.3 branch. This code includes functionality that will not be picked up and used by IPA until - most likely - RHEL 7.
The fix has been reverted. That is - we are using the build prior to this fix. So, based on above verification, I am closing this bug as NOTABUG.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.