https://bugzilla.redhat.com/show_bug.cgi?id=826731 (Red Hat Enterprise Linux 6)
I've cleaned certmonger files in /var/lib/certmonger/, nss.conf, password.conf in apache. sysrestore files in /var/lib/ipa/ are clean. [root@hogofogo ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [hogofogo.brq.redhat.com]: The domain name has been calculated based on the host name. Please confirm the domain name [brq.redhat.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [BRQ.REDHAT.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The IPA Master Server will be configured with: Hostname: hogofogo.brq.redhat.com IP address: 10.34.24.28 Domain name: brq.redhat.com Realm name: BRQ.REDHAT.COM Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname hogofogo.brq.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-SQUnUX -client_certdb_pwd XXXXXXXX -preop_pin icm2r2Dc52G1g9uVRrhB -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=BRQ.REDHAT.COM -ldap_host hogofogo.brq.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=BRQ.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=BRQ.REDHAT.COM -ca_server_cert_subject_name CN=hogofogo.brq.redhat.com,O=BRQ.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=BRQ.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=BRQ.REDHAT.COM -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed log file: 2012-05-30T20:31:55Z DEBUG stderr= 2012-05-30T20:31:55Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname hogofogo.brq.redhat.com -cs_port 9445 -client_certdb_dir /tmp/tmp-SQUnUX -client_certdb_pwd XXXXXXXX -preop_pin icm2r2Dc52G1g9uVRrhB -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=BRQ.REDHAT.COM -ldap_host hogofogo.brq.redhat.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=BRQ.REDHAT.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=BRQ.REDHAT.COM -ca_server_cert_subject_name CN=hogofogo.brq.redhat.com,O=BRQ.REDHAT.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=BRQ.REDHAT.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=BRQ.REDHAT.COM -external false -clone false' returned non-zero exit status 255 2012-05-30T20:31:55Z DEBUG Configuration of CA failed File "/usr/sbin/ipa-server-install", line 1091, in <module> rval = main() File "/usr/sbin/ipa-server-install", line 878, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 531, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 667, in __configure_instance raise RuntimeError('Configuration of CA failed') ipa-server-2.2.0-16.el6.x86_64
If tomcat does not start and the CA installation fails very early then the fact that the CA was created is not record. This will cause all subsequent uninstalls to not call pkiremove to remove the instance and basically leave the system uninstallable.
Changing 3.2 priority
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=953488 (Fedora)
Moving to the same bucket as the duplicate ticket #3784.
3.4 development was shifted for one month, moving tickets to reflect reality better.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Moving stabilization tickets that do not affect FreeIPA 4.0 release usability in any significant way to 4.0.1 stabilization milestone.
attachment freeipa-dkupka-0002-Improve-password-validity-check.patch
As said in bz953488, this bug was fixed by forbidding set of characters for use in password. Since then majority of forbidden characters is no longer causing trouble.
I do not see this ticket as fixed, see reasoning in my initial response:
http://www.redhat.com/archives/freeipa-devel/2014-July/msg00267.html
Posting a patch for review doesn't mean the work is done :)
attachment freeipa-dkupka-0004-Always-record-that-pkicreate-has-been-executed.patch
I was unable to reproduce the bug and found in bugzilla that the failures was caused by some characters in password. So I thought the bug was fixed already. Now I've used advice from Martin's email and (hopefully) found and fixed the bug.
master:
ipa-4-1:
ipa-4-0:
This now fixes the root cause and warrants closing the ticket (David's admin password validator can be pushed later of course).
Metadata Update from @dpal: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.0.1
Login to comment on this ticket.