[Freeipa] [Bug 1769631] Re: freeipa-server installation/configuration problem on s390x

2018-05-07 Thread Timo Aaltonen 
what do you have in /usr/lib/s390x-linux-gnu/sasl2 ?

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769631

Title:
  freeipa-server installation/configuration problem on s390x

Status in Ubuntu on IBM z Systems:
  New
Status in freeipa package in Ubuntu:
  New

Bug description:
  Problem desctriptin for following already Fix Releaed Bug:
  https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796
  https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744

  The package is still failing to configure

  root@fipas1:~# ipa-server-install --allow-zone-overlap

  The log file for this installation can be found in 
/var/log/ipaserver-install.log
  ==
  This program will set up the FreeIPA Server.

  This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT

  To accept the default shown in brackets, press the Enter key.

  WARNING: conflicting time synchronization service 'ntp' will be disabled
  in favor of chronyd

  Do you want to configure integrated DNS (BIND)? [no]: yes

  Enter the fully qualified domain name of the computer
  on which you're setting up server software. Using the form
  .
  Example: master.example.com.

  
  Server host name [fipas1.rgy.net]: 

  Warning: skipping DNS resolution of host fipas1.rgy.net
  The domain name has been determined based on the host name.

  Please confirm the domain name [rgy.net]:

  The kerberos protocol requires a Realm name to be defined.
  This is typically the domain name converted to uppercase.

  Please provide a realm name [RGY.NET]: 
  Certain directory server operations require an administrative user.
  This user is referred to as the Directory Manager and has full access
  to the Directory for system management tasks and will be added to the
  instance of directory server created for IPA.
  The password must be at least 8 characters long.

  Directory Manager password: 
  Password (confirm): 

  The IPA server requires an administrative user, named 'admin'.
  This user is a regular system account used for IPA server administration.

  IPA admin password: 
  Password (confirm): 

  Checking DNS domain rgy.net., please wait ...
  Do you want to configure DNS forwarders? [yes]: no
  No DNS forwarders configured
  Do you want to search for missing reverse zones? [yes]: no

  The IPA Master Server will be configured with:
  Hostname:   fipas1.rgy.net
  IP address(es): 192.168.122.50
  Domain name:rgy.net
  Realm name: RGY.NET

  The CA will be configured with:
  Subject DN:   CN=Certificate Authority,O=RGY.NET
  Subject base: O=RGY.NET
  Chaining: self-signed

  BIND DNS server will be configured to serve IPA domain with:
  Forwarders:   No forwarders
  Forward policy:   only
  Reverse zone(s):  No reverse zone

  Continue to configure the system with these values? [no]: yes

  The following operations may take some minutes to complete.
  Please wait until the prompt is returned.

  Synchronizing time
  Using default chrony configuration.
  Time synchronization was successful.
  Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
[4/44]: stopping directory server
[5/44]: updating configuration in dse.ldif
[6/44]: starting directory server
[error] ACIError: Insufficient access: SASL(-4): no mechanism available: No 
worthy mechs found (Unknown authentication method)
  ipapython.admintool: ERRORInsufficient access: SASL(-4): no mechanism 
available: No worthy mechs found (Unknown authentication method)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information
  root@fipas1:~# 

  
  I had run an apt update in advance of installing freeipa and after adding the 
canonical staging repository

  
  root@fipas1:~# apt update
  Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease
  Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease   
  Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease
  Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease
  Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease
  Reading package lists... Done
  Building dependency tree   
  Reading state information... Done
  All packages are up to date.
  root@fipas1:~# 

  
  End of the install log contains

  2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', 
'dirsrv@RGY-NET.service']
  2018-04-26T14:31:25Z DEBUG Process

[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl

2018-05-07 Thread Stan R 
Hi guys, I'm getting the same while installing on real hardware.  The
name server refuses to start up with the following error in the logs:

../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void
*)0)) failed, back trace

Using the server's FQDN.

Installing on Ubuntu 18.04 using ipa-server-install --setup-dns.  Here's the 
package version info:
freeipa-server | 4.7.0~pre1+git20180411-2ubuntu2 | 
http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
bind9 | 1:9.11.3+dfsg-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu 
bionic/main amd64 Packages
bind9-dyndb-ldap | 11.1-3ubuntu1 | http://us.archive.ubuntu.com/ubuntu 
bionic/universe amd64 Packages

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - Configuring the web interface, setting
  up ssl

Status in freeipa package in Ubuntu:
  New

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.

2018-05-07 Thread Hans Joachim Desserud 
** Tags added: bionic

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1769545

Title:
  DerInput.getLength(): lengthTag=9, too big.

Status in dogtag-pki package in Ubuntu:
  New

Bug description:
  When using pkispawn with an external root CA the following error
  occurs.

  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: 
Unable to populate certificate: Unable to get ca certificate: Unable to 
initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration 
failed: Unable to get ca certificate: Unable to initialize, 
java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  Unable to get ca certificate: Unable to initialize, java.io.IOException: 
DerInput.getLength(): lengthTag=9, too big.
at 
com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
at 
com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
at 
com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
at 
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
at 
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
at 
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
at 
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
at 
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
at 
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at 
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at 
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at 
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at 
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at

[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL

2018-05-07 Thread ChristianEhrhardt 
Corosync is actually a sync for Cosmic, with all Delta dropped:

  * Merge with Debian unstable (LP: #1747411). Remaining changes:

  * Dropped Changes:
- Properly restart corosync and pacemaker together (LP: #1740892)
  d/rules: pass --restart-after-upgrade to dh_installinit.
  (this is default in compat >=10, and the package is 11)
- d/control: indicate this version breaks all older pacemaker, to
  force an upgrade of pacemaker. (Upgrades have gone through Bionic,
  so we can drop this now)
- d/corosync.postinst: if flagged to do so by pacemaker, start
  pacemaker on upgrade. (Can be dropped after Bionic)
- New upstream release 2.4.3 (now in Debian)
- Drop upstreamed patches and refresh others. (now in Debian)

To get a second opinion on that I opened:
https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184

** Merge proposal linked:
   
https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1747411

Title:
  Change of default database file format to SQL

Status in certmonger package in Ubuntu:
  Fix Released
Status in corosync package in Ubuntu:
  New
Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released
Status in libapache2-mod-nss package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  New

Bug description:
  nss in version 3.35 in upstream changed [2] the default file format [1] (if 
no explicit one is specified).
  For now we reverted that change in bug 1746947 until all packages depending 
on it are ready to work with that correctly.

  This bug here is about to track when the revert can be dropped.
  Therefore we list all known-to-be-affected packages and once all are resolved 
this can be dropped.

  [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  [2]: 
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

2018-05-07 Thread Launchpad Bug Tracker 
This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu2

---
tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium

  * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616)

 -- Timo Aaltonen   Tue, 24 Apr 2018 23:47:45 +0300

** Changed in: tomcat8 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  Fix Released
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed
Status in tomcat8 package in Debian:
  New

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/28]: configuring certificate server instance
  ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA 
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 60s\npkispawn: ERROR
... server failed to restart\n")
  ipaserver.install.dogtaginstance: CRITICAL See the installation logs and 
the following files/directories for more information:
  ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
    [error] RuntimeError: CA configuration failed.
  ipapython.admintool: ERRORCA configuration failed.
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL

2018-05-07 Thread ChristianEhrhardt 
For corosync the affected components are corosync-qnetd.

I checked and without adaption on install they would be fine as they
initialize a new DB and nowhere does anyone specify the type. But as
with some other tools on an upgrade we have to assume that the old DBM
format will be tried to be read as SQL and then fail.

Worth to notice is that Fedora who started all of this in [1] in their
NSS build still uses DBM as default :-)

corosync 2.4.4-1 of 20th of April made corosync compatible with the nss change.
They prefix all calls with dbm to stay compat until the upgrade is handled by 
upstream.
So a merge of this or latter version will address this for corosync.
Afterwards nss can be merged dropping the change of the default.

[1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1747411

Title:
  Change of default database file format to SQL

Status in certmonger package in Ubuntu:
  Fix Released
Status in corosync package in Ubuntu:
  New
Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released
Status in libapache2-mod-nss package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  New

Bug description:
  nss in version 3.35 in upstream changed [2] the default file format [1] (if 
no explicit one is specified).
  For now we reverted that change in bug 1746947 until all packages depending 
on it are ready to work with that correctly.

  This bug here is about to track when the revert can be dropped.
  Therefore we list all known-to-be-affected packages and once all are resolved 
this can be dropped.

  [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  [2]: 
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769631] Re: freeipa-server installatio/configuration problem for s390x

2018-05-07 Thread Frank Heimes 
** Package changed: linux (Ubuntu) => freeipa (Ubuntu)

** Tags added: s390x universe

** Summary changed:

- freeipa-server installatio/configuration problem for s390x
+ freeipa-server installation/configuration problem on s390x

** Also affects: ubuntu-z-systems
   Importance: Undecided
   Status: New

** Changed in: ubuntu-z-systems
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769631

Title:
  freeipa-server installation/configuration problem on s390x

Status in Ubuntu on IBM z Systems:
  New
Status in freeipa package in Ubuntu:
  New

Bug description:
  Problem desctriptin for following already Fix Releaed Bug:
  https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796
  https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744

  The package is still failing to configure

  root@fipas1:~# ipa-server-install --allow-zone-overlap

  The log file for this installation can be found in 
/var/log/ipaserver-install.log
  ==
  This program will set up the FreeIPA Server.

  This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT

  To accept the default shown in brackets, press the Enter key.

  WARNING: conflicting time synchronization service 'ntp' will be disabled
  in favor of chronyd

  Do you want to configure integrated DNS (BIND)? [no]: yes

  Enter the fully qualified domain name of the computer
  on which you're setting up server software. Using the form
  .
  Example: master.example.com.

  
  Server host name [fipas1.rgy.net]: 

  Warning: skipping DNS resolution of host fipas1.rgy.net
  The domain name has been determined based on the host name.

  Please confirm the domain name [rgy.net]:

  The kerberos protocol requires a Realm name to be defined.
  This is typically the domain name converted to uppercase.

  Please provide a realm name [RGY.NET]: 
  Certain directory server operations require an administrative user.
  This user is referred to as the Directory Manager and has full access
  to the Directory for system management tasks and will be added to the
  instance of directory server created for IPA.
  The password must be at least 8 characters long.

  Directory Manager password: 
  Password (confirm): 

  The IPA server requires an administrative user, named 'admin'.
  This user is a regular system account used for IPA server administration.

  IPA admin password: 
  Password (confirm): 

  Checking DNS domain rgy.net., please wait ...
  Do you want to configure DNS forwarders? [yes]: no
  No DNS forwarders configured
  Do you want to search for missing reverse zones? [yes]: no

  The IPA Master Server will be configured with:
  Hostname:   fipas1.rgy.net
  IP address(es): 192.168.122.50
  Domain name:rgy.net
  Realm name: RGY.NET

  The CA will be configured with:
  Subject DN:   CN=Certificate Authority,O=RGY.NET
  Subject base: O=RGY.NET
  Chaining: self-signed

  BIND DNS server will be configured to serve IPA domain with:
  Forwarders:   No forwarders
  Forward policy:   only
  Reverse zone(s):  No reverse zone

  Continue to configure the system with these values? [no]: yes

  The following operations may take some minutes to complete.
  Please wait until the prompt is returned.

  Synchronizing time
  Using default chrony configuration.
  Time synchronization was successful.
  Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
[4/44]: stopping directory server
[5/44]: updating configuration in dse.ldif
[6/44]: starting directory server
[error] ACIError: Insufficient access: SASL(-4): no mechanism available: No 
worthy mechs found (Unknown authentication method)
  ipapython.admintool: ERRORInsufficient access: SASL(-4): no mechanism 
available: No worthy mechs found (Unknown authentication method)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information
  root@fipas1:~# 

  
  I had run an apt update in advance of installing freeipa and after adding the 
canonical staging repository

  
  root@fipas1:~# apt update
  Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease
  Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease   
  Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease
  Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease
  Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security

[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl

2018-05-07 Thread Timo Aaltonen 
I mean the dns setup is known to be broken, I don't know why it gets an
empty zone from ldap and reported it upstream but the next step would be
to debug with gdb and I didn't get anywhere with it yet..

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - Configuring the web interface, setting
  up ssl

Status in freeipa package in Ubuntu:
  New

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl

2018-05-07 Thread keestux 
When you said: "yep, that's a known issue" you referred to the non-FQDN. But 
the above
error is after I corrected that. So, with a FQDN.

BTW, I'm doing the install with --setup-dns. Is that what you do as well?
At the end of the installation the nameserver (bind9-pkcs11) does not start 
anymore.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - Configuring the web interface, setting
  up ssl

Status in freeipa package in Ubuntu:
  New

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp