Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 859043
Created attachment 614879 Full log On a Fedora 17 with update-testing enabled, running ipa-server-install like so ipa-server-install --setup-dns -r FI.LAN -n fi.lan -a test1234 -p test1234 results in the output shown further down. Full log is attached. Packages: freeipa-server-2.2.0-1.fc17.x86_64 pki-native-tools-9.0.23-1.fc17.x86_64 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [fi.lan]: Warning: skipping DNS resolution of host fi.lan The server hostname resolves to more than one address: fe80::5054:ff:fe63:6fc2%eth0 192.168.100.30 Please provide the IP address to be used for this host name: 192.168.100.30 Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to configure the reverse zone? [yes]: yes Please specify the reverse zone name [100.168.192.in-addr.arpa.]: Using reverse zone 100.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: fi.lan IP address: 192.168.100.30 Domain name: fi.lan Realm name: FI.LAN BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 100.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/18]: creating certificate server user [2/18]: creating pki-ca instance [3/18]: configuring certificate server instance [4/18]: disabling nonces [5/18]: creating CA agent PKCS#12 file in /root [6/18]: creating RA agent certificate database [7/18]: importing CA chain to RA certificate database [8/18]: fixing RA database permissions [9/18]: setting up signing cert profile [10/18]: set up CRL publishing [11/18]: set certificate subject base [12/18]: enabling Subject Key Identifier [13/18]: configuring certificate server to start on boot [14/18]: restarting certificate server [15/18]: requesting RA certificate from CA [16/18]: issuing RA agent certificate Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-56Kk3t -r /ca/agent/ca/profileReview?requestId=7 fi.lan:9443' returned non-zero exit status 6
More info from the original bug reporter:
I have rerun ipa-server-install without --setup-dns, and the result is the same.
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Thus, fi.lan is not in there. Still, it can be resolved by ping and wget, but not by sslget.
PING fi.lan (192.168.100.30) 56(84) bytes of data. 64 bytes from fi.lan (192.168.100.30): icmp_req=1 ttl=64 time=0.066 ms
There is this line in /etc/nsswitch.conf:
hosts: files dns myhostname
The "myhostname" entry is responsible for resolving fi.lan to 192.168.100.30, as I have learned just now.
Adding fi.lan to /etc/hosts doesn't help, sslget still fails:
192.168.100.30: fi fi.lan
GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0
port: 9443 addr='fi.lan' family='10' exit after PR_Connect with error -5987:
Using the IP address directly makes sslget work:
port: 9443 addr='192.168.100.30' family='2' Called mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata - cert = 1ded5b0 mygetclientauthdata - privkey = 1e30770 PR_Write wrote 55 bytes from bigBuf bytes: [GET /ca/agent/ca/profileReview?requestId=7 HTTP/1.0
] do_writes shutting down send socket do_writes exiting with (failure = 0) connection 1 read 9000 bytes (9000 total). these bytes read: connection 1 read 9000 bytes (18000 total). these bytes read: connection 1 read 9000 bytes (27000 total). these bytes read: connection 1 read 3364 bytes (30364 total). these bytes read: connection 1 read 30364 bytes total. -----------------------------
Thus, sslget doesn't seem to use nsswitch for resolving hostnames. That seems to be the bug here.
cloisng for jmagne and mharmsen:
7ca438db07efb122bc93efd0471be7a2be34b663
Metadata Update from @nkinder: - Issue assigned to vakwetu - Issue set to the milestone: 10.0.2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1157
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.