[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: freeipa (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
Confirmed
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772205] Re: freeipa install does not correctly setup krb5-admin-server
Changed affected package. ** Package changed: tomcat8 (Ubuntu) => freeipa (Ubuntu) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772205 Title: freeipa install does not correctly setup krb5-admin-server Status in freeipa package in Ubuntu: New Bug description: In Ubuntu 18.04, ipa-server-install does not correctly configures krb5 -admin-server. Therefore, the kadmin server does not start. The problem is that the krb5-admin-server service needs the file /etc/krb5kdc/kadm5.acl. This file may be empty, but it should exists, otherwise the server does not start. However, the krb5-admin-server does not contain such a file, nor the ipa-server-install command creates it during its execution. Note this was different in Ubuntu 16.04, where krb5-admin-server used to start even without the ACL file. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772205/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772205] [NEW] freeipa install does not correctly setup krb5-admin-server
You have been subscribed to a public bug: In Ubuntu 18.04, ipa-server-install does not correctly configures krb5 -admin-server. Therefore, the kadmin server does not start. The problem is that the krb5-admin-server service needs the file /etc/krb5kdc/kadm5.acl. This file may be empty, but it should exists, otherwise the server does not start. However, the krb5-admin-server does not contain such a file, nor the ipa-server-install command creates it during its execution. Note this was different in Ubuntu 16.04, where krb5-admin-server used to start even without the ACL file. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- freeipa install does not correctly setup krb5-admin-server https://bugs.launchpad.net/bugs/1772205 You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
I tried with the Alternate ISO. The problem still occurs, but now I can change the hostname to my fully qualified domain name with hostnamectl in a reliable way. Still, ipa-server-install should work with a simple hostname, since this is the standard for Ubuntu sysems. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: New Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
I realized now that "hostnamectl set-hostname" is not deterministic. Most of the times, the new hostname is lost after reboot, sometimes, without any apparent reason, it is preserved. The problem is that I installed Ubuntu 18.04 with the Live image, which has some peculiarities (see https://ubuntuforums.org/showthread.php?t=2390785). I will reinstall with the alternate ISO and see what happens. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: New Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
I was able to permanently change the host name with "hosnamectl --set- hostname". Nonetheless, I still thinks there is a bug here, because the Ubuntu 18.04 installer only allows me to set a unqualified host name, while "ipa-server-install" insists on a FQDN, and the two do not matches. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: New Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
