Gilbert Wilson wrote:
> Apologies ahead of time as this is my first post to the list and interaction 
> with the FreeIPA project. If I should be taking this question to a different 
> forum please point me in the right direction!
> 
> The error condition I’m encountering is mentioned a few times on the list, 
> but the threads die off without any conclusions. The most recent mention of 
> it that I could find is here:
> 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html
> 
> It also looks like this has shown up as a bug that was fixed here:
> 
> https://fedorahosted.org/freeipa/ticket/4397
> 
> I’m using CentOS Linux release 7.1.1503 (Core) system running FreeIPA 
> VERSION: 4.1.0, API_VERSION: 2.112.
> 
> The error happens when attempting to finish an ipa-server-install using a 
> cert signed by an external CA:
> 
>       ipa-server-install -d --external-cert-file=/path/to/certificate.pem 
> --external-cert-file=/path/to/certificate_authority.pem
> 
> The install proceeds as normal, but then when trying to create the RA 
> certificate it errors out with:
> 
> ipa         : DEBUG    The ipa-server-install command failed, exception: 
> IndexError: list index out of range
> Unexpected error - see /var/log/ipaserver-install.log for details:
> IndexError: list index out of range
> [root@ipa ~]# ipa         : DEBUG    stderr=
> all/cainstance.py", line 520, in configure_instance
>     self.start_creation(runtime=210)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
> 382, in start_creation
>     run_step(full_msg, method)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
> 372, in run_step
>     method()
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
> line 1149, in __request_ra_certificate
>     self.requestId = item_node[0].childNodes[0].data
> 
> ipa         : DEBUG    The ipa-server-install command failed, exception: 
> IndexError: list index out of range
> Unexpected error - see /var/log/ipaserver-install.log for details:
> IndexError: list index out of range
> 
> Unlike the bug and thread I linked to above we are not using a Windows CA. 
> Our CA is based on openssl. Since I’m fairly new to FreeIPA I’m not sure what 
> logs would be most helpful to troubleshoot, but my bumbling about seemed to 
> indicate that the the error condition is in the server’s xml-based web api 
> request/response logic. I’m not sure if the error is localized to that part 
> of the system or if there’s some precondition that failed beforehand. The 
> installation is left in a pretty broken/useless state. If I try to run 
> `ipa-server-install -d --external-cert-file=/path/to/certificate.pem 
> --external-cert-file=/path/to/certificate_authority.pem` again it instructs 
> me that I have to run `ipa-server-install --external-ca` (essentially, start 
> over from scratch). An aside question: is there some way to rerun the setup 
> from where it broke down so that I don’t have to bother our CA admin to sign 
> my CSR each time? That said, I can reliably produce this error condition and 
> am willing!
  to put in
 some time to do data collection to track it down, and our CA admin is willing 
to humor me for a little while! But, where do I start? What information would 
be most useful to collect?

You're seeing a symptom, not the problem. You'd need to look at the
install log referenced above plus the debug log somewhere in
/var/log/pki/pki-ca/

And unfortunately right now you need to start over after a failed install.

rob

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to