On test RHEL6.4 builds, I'm seeing getcert fail. The version of IPA I'm trying to test is:
ipa-server-3.0.0-103.20120928T0132zgitf50034a.el6.x86_64
I'm not sure what other versions may be affected. Below is some info on what I am seeing:
... Configuring certificate server: Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user ... [18/20]: configure certificate renewals Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
2012-09-28T15:47:29Z DEBUG [18/20]: configure certificate renewals 2012-09-28T15:47:29Z DEBUG args=/sbin/chkconfig certmonger on 2012-09-28T15:47:29Z DEBUG stdout= 2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/sbin/service messagebus start 2012-09-28T15:47:29Z DEBUG stdout=Starting system message bus:
2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/sbin/service messagebus status 2012-09-28T15:47:29Z DEBUG stdout=messagebus (pid 1094) is running...
2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/sbin/service certmonger start 2012-09-28T15:47:29Z DEBUG stdout=Starting certmonger: ESC[60G[ESC[0;32m OK ESC[0;39m]
2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/sbin/service certmonger status 2012-09-28T15:47:29Z DEBUG stdout=certmonger (pid 24001) is running...
2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/usr/bin/certutil -L -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca 2012-09-28T15:47:29Z DEBUG stdout=Certificate: ...certificate removed... 2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z DEBUG args=/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX 2012-09-28T15:47:29Z DEBUG stdout=The location "/var/lib/pki-ca/alias" must be a directory.
2012-09-28T15:47:29Z DEBUG stderr= 2012-09-28T15:47:29Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function()
File "/usr/sbin/ipa-server-install", line 926, in main subject_base=options.subject)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 562, in configure_instance self.start_creation("Configuring certificate server", 210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 321, in start_creation method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1294, in configure_renewal self.dogtag_constants.ALIAS_DIR, 'renew_ca_cert "%s"' % nickname)
File "/usr/lib/python2.6/site-packages/ipapython/certmonger.py", line 394, in dogtag_start_tracking (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 307, in run raise CalledProcessError(p.returncode, args)
2012-09-28T15:47:29Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
[root@vm4 yum.repos.d]# /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXXX Error: unused extra arguments were supplied. getcert - client certificate enrollment tool
Usage: getcert start-tracking [options] ...
[root@vm4 yum.repos.d]# echo $? 1
Your manual execution failed because some of the options are not correctly quoted.
Does /var/lib/pki-ca/alias exist on your server? If so, can you see if there are any AVCs?
Yes, after failure, that does exist:
[root@vm4 yum.repos.d]# ls -ldZ /var/lib/pki-ca/alias/ drwxrwx---. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 /var/lib/pki-ca/alias/ [root@vm4 yum.repos.d]#
I thought I'd checked for AVCs but, apparently I did not. Yes, there is an AVC denial:
time->Fri Sep 28 11:47:29 2012 type=SYSCALL msg=audit(1348847249.835:20224): arch=c000003e syscall=4 success=no exit=-13 a0=88af30 a1=7fff24845f80 a2=7fff24845f80 a3=7fff24845d00 items=0 ppid=1 pid=24001 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=91 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1348847249.835:20224): avc: denied { search } for pid=24001 comm="certmonger" name="pki-ca" dev=dm-0 ino=263592 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir
And, checking today:
[root@vm4 yum.repos.d]# /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" -c dogtag-ipa-renew-agent -C "/usr/lib64/ipa/certmonger/renew_ca_cert \"auditSigningCert cert-pki-ca\"" -P Secret123 The location "/var/lib/pki-ca/alias" must be a directory.
[root@vm4 yum.repos.d]# ausearch -m avc |tail -3 time->Mon Oct 1 10:49:12 2012 type=SYSCALL msg=audit(1349102952.967:23249): arch=c000003e syscall=4 success=no exit=-13 a0=a13720 a1=7fff89845d40 a2=7fff89845d40 a3=31fe085bb0 items=0 ppid=1 pid=2148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=91 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1349102952.967:23249): avc: denied { search } for pid=2148 comm="certmonger" name="pki-ca" dev=dm-0 ino=263091 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir
[root@vm4 yum.repos.d]# ls -ldZ /var/lib/pki-ca/alias/ drwxrwx---. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 /var/lib/pki-ca/alias/
[root@vm4 yum.repos.d]# find /var/lib -inum 263091 /var/lib/pki-ca
[root@vm4 yum.repos.d]# ls -ldZ /var/lib/pki-ca drwxrwx---. pkiuser pkiuser system_u:object_r:pki_ca_var_lib_t:s0 /var/lib/pki-ca
I haven't been able to duplicate this on a fully-updated 6.4 install.
Tried again using the 105 build and it still works for me. Scott, can you re-test?
No, I haven't seen this in a little while but I just started doing RHEL builds again after doing so many Fedora ones. I have done some RHEL builds though today and haven't seen it again through. So, I'm guessing it's been fixed by something in the Errata builds being tested now.
FYI, version is:
[root@rhel6-1 ~]# rpm -q ipa-server ipa-server-3.0.0-105.20121018T0250zgit1cc4f7e.el6.x86_64
Ok. I'm going to close this for now, we can re-open if necessary.
Metadata Update from @spoore: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.