When installing a ca-less replica with custom certificate files, when I supply an empty string (*) instead of the correct password from a pkcs file, the installation crashes with a "no such entry" error.
The error message should be more meaningful, like "Failed to open replica.p12: incorrect password?". The command line I used is:
ipa-replica-install -P admin -p <admin_password> --http-cert-file http.p12 --dirsrv-cert-file dirsrv.p12 --http-pin '' --dirsrv-pin <dirsrv_pin> -n <domain_name> -r <realm> --server <server_hostname> -U
Strangely enough, if I omit the empty string after '--http-pin', the installer will complain about missing dirsrv-pin (although it is provided):
# ipa-replica-install -P admin -p <admin_password> --http-cert-file http.p12 --dirsrv-cert-file dirsrv.p12 --http-pin --dirsrv-pin <dirsrv_pin> -n <domain_name> -r <realm> --server <server_hostname> -U Usage: ipa-replica-install [options] REPLICA_FILE ipa-replica-install: error: You must specify --dirsrv-pin with --dirsrv-cert-file ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
As it turned out the issue is slightly more complex.[[BR]] Http cert file was exported with "" for a password:
pk12util -W "" -o http.p12 -n ca1/replica -K <cert_password> -d <certdbdir>
So, the installation should have succeeded, rather than produce any error messages
For the second case, I don't know if it can be reasonably fixed.
--dirsrv-pin is used as a value for --http-pin. <dirsrv_pin> is then probably used as other param or value.
--dirsrv-pin
--http-pin
Maybe <dirsrv_pin> should be announced as invalid parameter or option.
Anyway, for the both cases, ipareplica-install.log would be useful.
Reproduced in another unrelated test from ca-less testsuite. Attaching the log
attachment ipareplica-install.log
The error is not related to empty password but rather to missing service entry. Probably caused by race condition in tests.
#5721 was closed as a duplicate of this ticket.
Duplicate of #5604
Metadata Update from @ofayans: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.3.2
Login to comment on this ticket.