Apologies ahead of time as this is my first post to the list and interaction with the FreeIPA project. If I should be taking this question to a different forum please point me in the right direction!
The error condition I’m encountering is mentioned a few times on the list, but the threads die off without any conclusions. The most recent mention of it that I could find is here: https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html It also looks like this has shown up as a bug that was fixed here: https://fedorahosted.org/freeipa/ticket/4397 I’m using CentOS Linux release 7.1.1503 (Core) system running FreeIPA VERSION: 4.1.0, API_VERSION: 2.112. The error happens when attempting to finish an ipa-server-install using a cert signed by an external CA: ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem The install proceeds as normal, but then when trying to create the RA certificate it errors out with: ipa : DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range Unexpected error - see /var/log/ipaserver-install.log for details: IndexError: list index out of range [root@ipa ~]# ipa : DEBUG stderr= all/cainstance.py", line 520, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data ipa : DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range Unexpected error - see /var/log/ipaserver-install.log for details: IndexError: list index out of range Unlike the bug and thread I linked to above we are not using a Windows CA. Our CA is based on openssl. Since I’m fairly new to FreeIPA I’m not sure what logs would be most helpful to troubleshoot, but my bumbling about seemed to indicate that the the error condition is in the server’s xml-based web api request/response logic. I’m not sure if the error is localized to that part of the system or if there’s some precondition that failed beforehand. The installation is left in a pretty broken/useless state. If I try to run `ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem` again it instructs me that I have to run `ipa-server-install --external-ca` (essentially, start over from scratch). An aside question: is there some way to rerun the setup from where it broke down so that I don’t have to bother our CA admin to sign my CSR each time? That said, I can reliably produce this error condition and am willing to put in some time to do data collection to track it down, and our CA admin is willing to humor me for a little while! But, where do I start? What information would be most useful to collect? Thanks! Gil Gilbert Wilson Systems Administrator The Omni Group +1 206-523-4152 +1 206-523-5896 (Fax)
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
