/var/lib/pki-ca/ does not have the right permissions after ipa-server-install, so published CRL cannot be downloaded:
/var/lib/pki-ca/
ipa-server-install
# ipa-server-install -p kokos123 -a kokos123 --setup-dns --forwarder 10.16.255.2 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [vm-120.idm.lab.bos.redhat.com]: Warning: skipping DNS resolution of host vm-120.idm.lab.bos.redhat.com The domain name has been determined based on the host name. Please confirm the domain name [idm.lab.bos.redhat.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [IDM.LAB.BOS.REDHAT.COM]: Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [78.16.10.in-addr.arpa.]: Using reverse zone 78.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm-120.idm.lab.bos.redhat.com IP address: 10.16.78.120 Domain name: idm.lab.bos.redhat.com Realm name: IDM.LAB.BOS.REDHAT.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.16.255.2 Reverse zone: 78.16.10.in-addr.arpa. Continue to configure the system with these values? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: creating pki-ca instance [3/20]: configuring certificate server instance [4/20]: disabling nonces [5/20]: creating CA agent PKCS#12 file in /root [6/20]: creating RA agent certificate database [7/20]: importing CA chain to RA certificate database [8/20]: fixing RA database permissions [9/20]: setting up signing cert profile [10/20]: set up CRL publishing [11/20]: set certificate subject base [12/20]: enabling Subject Key Identifier [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate [17/20]: adding RA agent as a trusted user [18/20]: configure certificate renewals [19/20]: configure Server-Cert certificate renewal [20/20]: Configure HTTP to proxy connections done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/36]: creating directory server user [2/36]: creating directory server instance [3/36]: adding default schema [4/36]: enabling memberof plugin [5/36]: enabling winsync plugin [6/36]: configuring replication version plugin [7/36]: enabling IPA enrollment plugin [8/36]: enabling ldapi [9/36]: configuring uniqueness plugin [10/36]: configuring uuid plugin [11/36]: configuring modrdn plugin [12/36]: enabling entryUSN plugin [13/36]: configuring lockout plugin [14/36]: creating indices [15/36]: enabling referential integrity plugin [16/36]: configuring ssl for ds instance [17/36]: configuring certmap.conf [18/36]: configure autobind for root [19/36]: configure new location for managed entries [20/36]: restarting directory server [21/36]: adding default layout [22/36]: adding delegation layout [23/36]: adding replication acis [24/36]: creating container for managed entries [25/36]: configuring user private groups [26/36]: configuring netgroups from hostgroups [27/36]: creating default Sudo bind user [28/36]: creating default Auto Member layout [29/36]: adding range check plugin [30/36]: creating default HBAC rule allow_all [31/36]: initializing group membership [32/36]: adding master entry [33/36]: configuring Posix uid/gid generation [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin --2012-10-05 10:35:43-- https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120 Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2012-10-05 10:35:43 ERROR 403: Forbidden. # ll -d /var/lib/pki-ca/ drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 10:21 /var/lib/pki-ca/ # chmod o+x /var/lib/pki-ca/ # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin --2012-10-05 10:35:56-- https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120 Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 414 [application/octet-stream] Saving to: `MasterCRL.bin' 100%[==============================================================>] 414 --.-K/s in 0s 2012-10-05 10:35:56 (1.13 MB/s) - `MasterCRL.bin' saved [414/414]
attachment freeipa-mkosek-321-move-crl-publish-directory-to-ipa-owned-directory.patch
Patch freeipa-mkosek-321-move-crl-publish-directory-to-ipa-owned-directory.patch sent for review
Raising the priority, this will need to be done in a next release. I also saw this issue in previous releases, including RHEL 6.3. But it can be easily fixed with the chmod here.
chmod
master: 74ebd0f[[BR]] ipa-3-0: 8debadb
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=864533
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.0 GA
Login to comment on this ticket.