On Feb 12, 2013, at 6:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Rob Crittenden wrote:
>> Chuck Lever wrote:
>>> 
>>> On Feb 12, 2013, at 4:24 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>>> 
>>>> Chuck Lever wrote:
>>>>> Hi-
>>>>> 
>>>>> I'm new to FreeIPA.  I'm installing on an up-to-date Fedora 18
>>>>> system from the freeipa packages available with Fedora 18.  When
>>>>> running ipa-server-install, the install process fails here:
>>>>> 
>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>> minutes 30 seconds
>>>>>   [1/20]: creating certificate server user
>>>>>     ...
>>>>>   [15/20]: requesting RA certificate from CA
>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>> IndexError: list index out of range
>>>>> 
>>>>> The tail of the installer log looks like this:
>>>>> 
>>>>> Generating key.  This may take a few moments...
>>>>> 
>>>>> 
>>>>> 2013-02-12T21:04:46Z INFO   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>>>>> 617, in run_script
>>>>>     return_value = main_function()
>>>>> 
>>>>>   File "/sbin/ipa-server-install", line 986, in main
>>>>>     dm_password, subject_base=options.subject)
>>>>> 
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line 621, in configure_instance
>>>>>     self.start_creation(runtime=210)
>>>>> 
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>> line 358, in start_creation
>>>>>     method()
>>>>> 
>>>>>   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>>> line 1219, in __request_ra_certificate
>>>>>     self.requestId = item_node[0].childNodes[0].data
>>>>> 
>>>>> 2013-02-12T21:04:46Z INFO The ipa-server-install command failed,
>>>>> exception: IndexError: list index out of range
>>>>> 
>>>>> 
>>>>> Is there a workaround or fix available?  I haven't found any
>>>>> relevant information via a web search, and a few searches on
>>>>> bugzilla.redhat.com have come up empty.
>>>>> 
>>>> 
>>>> We've seen just one other report of this and unfortunately the VM was
>>>> removed before we could do a lot of diagnosis. What we saw was that
>>>> certutil output garbage when requesting the RA admin certificate. Can
>>>> you look in /var/log/ipaserver-install.log for the last certutil
>>>> command? Does stdout contain a lot of garbage characters in it? It
>>>> should consist of a base64-encoded CSR.
>>> 
>>> 2013-02-12T21:04:29Z DEBUG   [15/20]: requesting RA certificate from CA
>>> 2013-02-12T21:04:29Z DEBUG Starting external process
>>> 2013-02-12T21:04:29Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias
>>> -f XXXXXXXX -R -k
>>> rsa -g 2048 -s CN=IPA RA,O=1015GRANGER.NET -z /tmp/tmptIYFZ5 -a
>>> 2013-02-12T21:04:33Z DEBUG Process finished, return code=0
>>> 2013-02-12T21:04:33Z DEBUG
>>> stdout=^X^\<FB>^<^@^@^@^X^\<FB>^<^@^@^@^P-<85>^B^@^@^@^@^P-
>>> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> 
>>> ^@^@^@@^G
>>> <C1>8^?^@^@<C1>^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<98>^W<FB>^<^@^@^@^@^@^@^@^@^@
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@<F6><F5><D7><F7>Ƣ<87><C7><CA>^U<CE>^^<F0>6ĸ^L^R|<C0><D6><D3>=^^W^D^N
>>> 
>>> <A1>^\=<9F><FE>^@^@^@^@^@^@^@^@q^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@^P<U+0084>^B^@^@^@^@^@^@
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^Y<85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>^A<C2>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>+<C1>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@<C1>^D^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<F0>*
>>> 
>>> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><BD><84>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> 
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@!
> ^!
>>> 
>> @^@^@^@^@`
>> ^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>> 
>>> 2013-02-12T21:04:33Z DEBUG stderr=
>>> 
>>> 
>>>> If so, what version of nss and nss-tools do you have installed?
>>> 
>>> 
>>> [root@forain ~]# yum info nss nss-tools
>>> Loaded plugins: langpacks, presto, refresh-packagekit
>>> Installed Packages
>>> Name        : nss
>>> Arch        : x86_64
>>> Version     : 3.14.2
>>> Release     : 2.fc18
>>> Size        : 2.5 M
>>> Repo        : installed
>>> From repo   : updates
>>> Summary     : Network Security Services
>>> URL         : http://www.mozilla.org/projects/security/pki/nss/
>>> License     : MPLv2.0
>>> Description : Network Security Services (NSS) is a set of libraries
>>> designed to
>>>             : support cross-platform development of security-enabled
>>> client and
>>>             : server applications. Applications built with NSS can
>>> support SSL v2
>>>             : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>>> S/MIME, X.509
>>>             : v3 certificates, and other security standards.
>>> 
>>> Name        : nss-tools
>>> Arch        : x86_64
>>> Version     : 3.14.2
>>> Release     : 2.fc18
>>> Size        : 1.7 M
>>> Repo        : installed
>>> From repo   : updates
>>> Summary     : Tools for the Network Security Services
>>> URL         : http://www.mozilla.org/projects/security/pki/nss/
>>> License     : MPLv2.0
>>> Description : Network Security Services (NSS) is a set of libraries
>>> designed to
>>>             : support cross-platform development of security-enabled
>>> client and
>>>             : server applications. Applications built with NSS can
>>> support SSL v2
>>>             : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>>> S/MIME, X.509
>>>             : v3 certificates, and other security standards.
>>>             :
>>>             : Install the nss-tools package if you need command-line
>>> tools to
>>>             : manipulate the NSS certificate and key database.
>>> 
>>> Available Packages
>>> Name        : nss
>>> Arch        : i686
>>> Version     : 3.14.2
>>> Release     : 2.fc18
>>> Size        : 833 k
>>> Repo        : updates/18/x86_64
>>> Summary     : Network Security Services
>>> URL         : http://www.mozilla.org/projects/security/pki/nss/
>>> License     : MPLv2.0
>>> Description : Network Security Services (NSS) is a set of libraries
>>> designed to
>>>             : support cross-platform development of security-enabled
>>> client and
>>>             : server applications. Applications built with NSS can
>>> support SSL v2
>>>             : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>>> S/MIME, X.509
>>>             : v3 certificates, and other security standards.
>>> 
>>> [root@forain ~]#
>>> 
>>> Hope this helps.
>>> 
>>> --
>>> Chuck Lever
>>> chucklever[at]gmail[dot]com
>>> 
>>> 
>>> 
>> 
>> Ok, easily reproduced with this version of nss. I filed
>> https://bugzilla.redhat.com/show_bug.cgi?id=910584
>> 
>> For a workaround you might try to yum downgrade nss. You may need to
>> downgrade several other subpackages as well like nss-tools and
>> nss-sysinit depending on your install.
>> 
>> I think you can safely upgrade again once the install is complete.
> 
> I did some real quick smoke testing and this seems to work. I did:
> 
> # yum downgrade nss nss-*
> # ipa-server-install ...
> # yum update nss
> 
> This is with a dogtag CA. I didn't test a selfsign CA.
> 
> This was a single install.
> 
> Preparing a replica will fail with the error "Certificate issuance failed" 
> because of the certutil problem.

Confirmed:

 # yum downgrade nss nss-tools nss-sysinit
 # ipa-server-install

worked as expected.

--
Chuck Lever
chucklever[at]gmail[dot]com




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to