#4415 ipa-server-install fails configuring Dogtag when CN is too long
Closed: wontfix 5 years ago Opened 9 years ago by dpal.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1114127

Description of problem:

I'm seeing ipa-server-install failures configuring the CA.

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445
-client_certdb_dir /tmp/tmp-gTN63u -client_certdb_pwd XXXXXXXX -preop_pin
8IhRgvChTfGUEzvFqteh -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM
-ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd
03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA
Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate
Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit
status 255
Configuration of CA failed

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-39.el6.x86_64
pki-ca-9.0.3-32.el6.noarch


How reproducible:
Unknown.

Steps to Reproduce:
1. ipa-server-install -r <REALM> -p Secret123 -a Secret123 -U

Actual results:

Failure listed above.

Expected results:

No failure and IPA installs cleanly.

Additional info:

Problem is we cannot reproduce this outside on an automated environment that
generates and builds the VM it's failing on.  If the VM is manually created
(from the same image) it's not failing.  I do not know the host systems in the
two cases.

ipaserver-install.log:

2014-06-27T19:42:10Z DEBUG Configuring certificate server (pki-cad): Estimated
time 3 minutes 30 seconds
2014-06-27T19:42:10Z DEBUG   [1/21]: creating certificate server user
2014-06-27T19:42:10Z DEBUG ca user pkiuser exists
2014-06-27T19:42:10Z DEBUG   duration: 0 seconds
2014-06-27T19:42:10Z DEBUG   [2/21]: creating pki-ca instance
2014-06-27T19:43:59Z DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib
-pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443
-ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446
-unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca
-redirect logs=/var/log/pki-ca -enable_proxy
2014-06-27T19:43:59Z DEBUG stdout=PKI instance creation Utility ...

Capturing installation information in /var/log/pki-ca-install.log

PKI instance creation completed ...

Installation information recorded in /var/log/pki-ca-install.log.
Before proceeding with the configuration, make sure
the firewall settings of this machine permit proper
access to this subsystem.

Please start the configuration by accessing:

https://pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445/
ca/admin/console/config/login?pin=pVNJx5tI2e9laIPwyV8w

After configuration, the server can be operated by the command:

    /sbin/service pki-cad restart pki-ca


2014-06-27T19:43:59Z DEBUG stderr=
2014-06-27T19:43:59Z DEBUG   duration: 109 seconds
2014-06-27T19:43:59Z DEBUG   [3/21]: configuring certificate server instance
2014-06-27T19:44:00Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA
-cs_hostname pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal
-cs_port 9445 -client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX
-preop_pin pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM
-ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd
03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA
Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate
Authority,O=QE.PIT.REALM -external false -clone false
2014-06-27T19:44:00Z DEBUG stdout=libpath=/usr/lib64
#######################################################################
CRYPTO INIT WITH CERTDB:/tmp/tmp-TpgvUw
tokenpwd:XXXXXXXX
#############################################
Attempting to connect to:
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA
#######################################################################

2014-06-27T19:44:00Z DEBUG stderr=Exception: Unable to Send
Request:java.io.IOException: java.io.IOException: SSL_ForceHandshake failed:
(-5991) I/O function error. --> java.net.SocketException: Connection reset
java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5991)
I/O function error. --> java.net.SocketException: Connection reset
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruc
torAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delegating
ConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at
org.mozilla.jss.ssl.SocketBase.processExceptions(SocketBase.java:401)
        at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
        at HTTPClient.sslConnect(HTTPClient.java:331)
        at ConfigureCA.LoginPanel(ConfigureCA.java:244)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
        at ConfigureCA.main(ConfigureCA.java:1672)
java.lang.NullPointerException
        at ConfigureCA.LoginPanel(ConfigureCA.java:245)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
        at ConfigureCA.main(ConfigureCA.java:1672)

2014-06-27T19:44:00Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -cs_port 9445
-client_certdb_dir /tmp/tmp-TpgvUw -client_certdb_pwd XXXXXXXX -preop_pin
pVNJx5tI2e9laIPwyV8w -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=QE.PIT.REALM -ldap_host
pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd03f-rs-1.novalocal -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=QE.PIT.REALM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=QE.PIT.REALM
-ca_server_cert_subject_name CN=pit-scenario2-7244a244-10af-4e0e-ac56-c715e79fd
03f-rs-1.novalocal,O=QE.PIT.REALM -ca_audit_signing_cert_subject_name CN=CA
Audit,O=QE.PIT.REALM -ca_sign_cert_subject_name CN=Certificate
Authority,O=QE.PIT.REALM -external false -clone false' returned non-zero exit
status 255
2014-06-27T19:44:00Z INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614,
in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 942, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
626, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
888, in __configure_instance
    raise RuntimeError('Configuration of CA failed')

2014-06-27T19:44:00Z INFO The ipa-server-install command failed, exception:
RuntimeError: Configuration of CA failed

Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata