Commenting only on the 2 remaining patches that need to be committed, inline.

On 15/10/15 04:45, Jan Cholasta wrote:
On 23.9.2015 19:47, Simo Sorce wrote:

"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

Will do, thanks for spotting.

On 22.9.2015 10:45, Jan Cholasta wrote:
1) The --replica option is redundant. You can safely decide whether this
is the first CA master or not based on information in cn=masters.

2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for
Directory Manager (existing master) password:

DM password should not be required, right?

Unfortunately if you install the CA in a separate step we still need to ask for the DM password because dogtag uses simple binds over ldaps:// and not ldapi://, we do not need that if you pass --setup-ca because we generate a random DM password and replace it with the hash obtained by the existing master only after all components are installed.

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/",
line 445, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/",
line 435, in run_step
"/usr/lib/python2.7/site-packages/ipaserver/install/", line
631, in __spawn_instance
     DogtagInstance.spawn_instance(self, cfg_file)
line 185, in spawn_instance
line 448, in handle_setup_error
     raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to
be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
We might need a new 10.2.7 build.

I am not sure which version has it fixed, Endi ?

1) ipa-kra-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipapython/", line
171, in execute
     return_value =
line 220, in run
line 200, in _run
     if config.subject_base is None:
AttributeError: 'NoneType' object has no attribute 'subject_base'

I need to find out why this stopped working, will post a patch asap.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to