> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Thomson, Ryan
> Sent: Friday, October 25, 2013 11:17 AM
> To: Rob Crittenden; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Failure decoding Certificate Signing Request


> > > I'm not sure what to make of this.
> >
> > This is just more confirmation that the IPA framework is trying to
> > initialize NSS for some reason. It should never do this which is why
> > it is failing so spectacularly.
> >
> > Can you provide nss.conf and ipa.conf from /etc/httpd/conf.d?
> >
> > Who owns and what are the permissions of /etc/httpd/alias/*.db?
> >
> > thanks
> >
> > rob


After further troubleshooting and trying too many crazy things, I was finally 
able to "hack" FreeIPA into renewing the certificates. Behold the terrible 
hack, it is quite awful and certainly not an actual fix.

During my troubleshooting, I kept coming back to the getpass EOFError:

[Sat Sep 28 03:48:17 2013] [error] /usr/lib64/python2.6/getpass.py:83: 
GetPassWarning: Can not control echo on the terminal.
[Sat Sep 28 03:48:17 2013] [error]   passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:17 2013] [error] Warning: Password input may be echoed.
[Sat Sep 28 03:48:17 2013] [error] Enter password for internal: 
[Sat Sep 28 03:48:17 2013] [error] exception in PK11 password callback
[Sat Sep 28 03:48:17 2013] [error] Traceback (most recent call last):
[Sat Sep 28 03:48:18 2013] [error]   File 
"/usr/lib/python2.6/site-packages/ipapython/nsslib.py", line 230, in 
[Sat Sep 28 03:48:18 2013] [error]     return getpass.getpass("Enter password 
for %s: " % slot.token_name);
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 83, in unix_getpass
[Sat Sep 28 03:48:18 2013] [error]     passwd = fallback_getpass(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 118, in fallback_getpass
[Sat Sep 28 03:48:18 2013] [error]     return _raw_input(prompt, stream)
[Sat Sep 28 03:48:18 2013] [error]   File "/usr/lib64/python2.6/getpass.py", 
line 135, in _raw_input
[Sat Sep 28 03:48:18 2013] [error]     raise EOFError
[Sat Sep 28 03:48:18 2013] [error] EOFError

So eventually I found my way into 
/usr/lib/python2.6/site-packages/ipapython/nsslib.py and the getpass 
password_callback function. Instead of allowing the password_callback() to 
return "getpass.getpass("Enter password for %s: " % slot.token_name);", which 
was rasing the EOFError exception, I simply returned the text string from 

>From what little I know about python and coding in general, it seems that 
>getpass was trying to read the NSS DB password from somewhere but was reading 
>nothing instead and thus raising EOFError.

I'm not sure what to do about a permanent fix as maintaining the NSS DB 
password in a source file does seems rather insecure. Given the above, what 
does a permanent fix actually look like? Is the getpass callback function 
broken or is my environment broken?


Freeipa-users mailing list

Reply via email to