[Freeipa] [Bug 2029368] Re: Use tomcat10
** Changed in: dogtag-pki (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/2029368 Title: Use tomcat10 Status in dogtag-pki package in Ubuntu: New Status in dogtag-pki package in Debian: New Bug description: tomcat9 no longer ships bin:tomcat9-user[1][2], which is needed by dogtag-pki. dogtag-pki should switch to tomcat10[3]. 1. https://bugs.debian.org/1034824 2. https://salsa.debian.org/java-team/tomcat9/-/commit/590e5fe1dd682c47b5edf44c55f242adef1630a9 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031815 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/2029368/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1966181] Re: ipa-client-install fails on restarting non-existing chrony.service
** Changed in: freeipa (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1966181 Title: ipa-client-install fails on restarting non-existing chrony.service Status in freeipa package in Ubuntu: Invalid Status in freeipa package in Debian: Fix Released Bug description: DistroRelease: Ubuntu 21.10 Package: freeipa-client 4.8.6-1ubuntu6 This is a bug that just doesn't want to die -- the package *really* should grow an autopkgtest that checks if a basic ipa-client-install actually works. It's very similar to bug 1890786 except that it now fails on "chrony.service", not "chronyd.service": # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W This program will set up FreeIPA client. Version 4.8.6 WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information This also happens if I say "yes" to the NTP question. Now, the chrony package is indeed rather weird/broken: | root@x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l | lrwxrwxrwx 1 root root 9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service | # systemctl status chrony chronyd | Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo> | ○ chrony.service | Loaded: masked (Reason: Unit chrony.service is masked.) | Active: inactive (dead) | | ○ chronyd.service | Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists) | Active: inactive (dead) Again, this is unconfigured and out of the box -- the idea is that FreeIPA sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA server. Purging chrony doesn't really help, though: | dpkg -P chrony | # no '*chrony*' files in /etc any more Exactly the same failure, and it still tries to configure chrony even though it's not there any more: | WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service +not found.\n') | The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1966181/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1946244] Re: When installing/uninstalling with realmd, uninstalling crashes with ScriptError
** Changed in: freeipa (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1946244 Title: When installing/uninstalling with realmd, uninstalling crashes with ScriptError Status in freeipa package in Ubuntu: New Status in freeipa source package in Bionic: New Status in freeipa source package in Hirsute: Won't Fix Status in freeipa package in Debian: New Bug description: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value
[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.
** Changed in: dogtag-pki (Fedora) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1769545 Title: DerInput.getLength(): lengthTag=9, too big. Status in dogtag-pki package in Ubuntu: New Status in dogtag-pki package in Fedora: Fix Released Bug description: When using pkispawn with an external root CA the following error occurs. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460)
[Freeipa] [Bug 1778911] Re: freeipa-client hard depends on chrony
** Changed in: freeipa (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1778911 Title: freeipa-client hard depends on chrony Status in ceph package in Ubuntu: Invalid Status in chrony package in Ubuntu: Invalid Status in freeipa package in Ubuntu: Fix Released Status in maas package in Ubuntu: Invalid Status in freeipa package in Debian: Fix Released Bug description: That freeipa-client needs accurate time to work is obvious. But there are various ways to go about this: 1) install a timeserver like chrony or ntp 2) Not at all, because the system is an lxc client and thus the time is synced externally. Currently chrony is installed, and another package requires ntp. Furthermore puppet is running on the host and installs chrony on one run and in the next run ntp etc etc. And that on a host which requires neither. There are many ways to solve this problem with various levels of being accurate. Please think the problem through in such a way that all possible scenarios are covered. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: chrony 3.2-4ubuntu4.1 ProcVersionSignature: Ubuntu 4.15.0-23.25-generic 4.15.18 Uname: Linux 4.15.0-23-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 Date: Wed Jun 27 14:40:03 2018 SourcePackage: chrony UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1778911/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.
Launchpad has imported 13 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=1540924. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2018-02-01T10:45:32+00:00 gkapoor wrote: Description of problem: Setup: RootCA --> externalCA(cmc) ---> another externalCA (cmc) (Level1) (Level2) (level3) Level1 -- worked Level2 -- worked Level3 -- failure Refer : https://bugzilla.redhat.com/show_bug.cgi?id=1535797#4 failure reason: -- [01/Feb/2018:05:32:14][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2785) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2609) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:484) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) Version-Release number of selected component (if applicable): 10.5 How reproducible: always Steps to Reproduce: 1.Setup a RootCA 2.Setup externalCA1 signed using CMC mechanism with RootCA 3.Setup externalCA2 signed using CMC mechanism with ExternalCA Actual results: ExternalCA2 install fails Expected results: ExternalCA2 install should work without failures. Additional info: Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag- pki/+bug/1769545/comments/0 On 2018-02-01T10:47:39+00:00 gkapoor wrote: Created attachment 1389444 debug Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag- pki/+bug/1769545/comments/1 On 2018-02-02T06:24:36+00:00 gkapoor wrote: This is same in case of non-cmc environment. Scenario: This is particularly a non cmc scenario. == RootCA --signs--> ExternalCA(00) ---signs---> ExternalCA(000) (level1) (level2) (level3) port-20080 port-31080 port-29080 Level2 Installation: 1. Run pkispawn step1 and generate csr. 2. Sign this csr by RootCA 3. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:20080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr - Submitted certificate request - Request ID: 63 Type: enrollment Request Status: pending Operation Result: success 4. Approve the csr. pki -p 20080 -d /root/nssdb_75/ -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 63 --action approve --- Approved certificate request 63 --- Request ID: 63 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x34e9448 5. Verify on CA agent page about the certificate 0x34e9448 6. This "0x34e9448" is a signing cert.get external certificate also. 7. Get external.crt and ca_signing.crt. 8. Change ciphers in server.xml to
[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.
** Changed in: dogtag-pki (Fedora) Importance: Undecided => High -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1769545 Title: DerInput.getLength(): lengthTag=9, too big. Status in dogtag-pki package in Ubuntu: New Status in dogtag-pki package in Fedora: Confirmed Bug description: When using pkispawn with an external root CA the following error occurs. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460) at
[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.
** Changed in: dogtag-pki (Fedora) Status: Unknown => Confirmed ** Changed in: dogtag-pki (Fedora) Importance: Unknown => Undecided -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1769545 Title: DerInput.getLength(): lengthTag=9, too big. Status in dogtag-pki package in Ubuntu: New Status in dogtag-pki package in Fedora: Confirmed Bug description: When using pkispawn with an external root CA the following error occurs. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
** Changed in: tomcat8 (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1716842] Re: dogtag-pki needs porting work for tomcat8
** Changed in: dogtag-pki (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1716842 Title: dogtag-pki needs porting work for tomcat8 Status in dogtag-pki package in Ubuntu: New Status in freeipa package in Ubuntu: New Status in dogtag-pki package in Debian: New Bug description: dogtag-pki needs porting work for tomcat8, demoting to proposed for now, plus the freeipa dependency. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1716842/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
** Changed in: kerberos-configs (Debian) Status: Unknown => New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: New Status in kerberos-configs package in Debian: New Bug description: Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1024765] Re: ipa-client-install fails at certutil stage because /etc/pki doesn't exist
** Changed in: nss (Debian) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1024765 Title: ipa-client-install fails at certutil stage because /etc/pki doesn't exist Status in freeipa package in Ubuntu: Fix Released Status in nss package in Ubuntu: Fix Released Status in nss package in Debian: Confirmed Bug description: Dear Colleagues, ipa-client-install fails at the import stage of the freeipa server cert. Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1292, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1279, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1124, in install run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run raise CalledProcessError(p.returncode, args) subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255 It looks like the patch create_client_dirs.patch needs to be refreshed to: 1. check if /etc/pki exists 2. if not, create it this is important especially for debian and ubuntu, because /etc/pki is/was fedora/rhel specific Regards, \sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1024765/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1449304] Re: ipa-replica-prepare fails due to gnupg-agent missing
** Changed in: freeipa (Debian) Status: Unknown = New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1449304 Title: ipa-replica-prepare fails due to gnupg-agent missing Status in freeipa package in Ubuntu: New Status in freeipa package in Debian: New Bug description: Running ipa-replica-prepare results in an error due to gnupg-agent missing: # ipa-replica-prepare somehost Directory Manager (existing master) password: Preparing replica for somehost from someotherhost Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Saving dogtag Directory Server port Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-somehost.gpg [Errno 2] No such file or directory Installing the gnupg-agent package results in success. Seems like freeipa-server should depend on gnugp-agent. Package info: freeipa-server: Installed: 4.0.5-3 Candidate: 4.0.5-3 Version table: *** 4.0.5-3 0 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ vivid/universe amd64 Packages 100 /var/lib/dpkg/status Platform info: Distributor ID: Ubuntu Description: Ubuntu 15.04 Release: 15.04 Codename: vivid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1449304/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 372405] Re: ldb_module.h and associated files not included in package
** Changed in: samba4 (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/372405 Title: ldb_module.h and associated files not included in package Status in “samba4” package in Ubuntu: Fix Released Status in “samba4” package in Debian: Fix Released Bug description: Package libldb-samba4-dev does not include ldb_module.h header and its associated files. When compiling against it errors appear due to the lack of this files. System: Ubuntu 9.04 Jaunty Package version for libldb-samba4-dev: 4.0.0~alpha6-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/372405/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
