[Freeipa] [Bug 1785157] [NEW] external (letsencrypt) certs failing to parse due to pyasn1
Public bug reported: attempting a clean installation of freeipa-server on bionic using letsencrypt certs passed as arguments fails with an error similar to: not in asn1Spec: encoding iso-8859-1> The ipa-server-certinstall command failed I was able to bypass this by downgrading pyasn1 and pyasn1-modules: rm -rf /usr/lib/python2.7/dist-packages/pyasn1 rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/ rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info apt install python-pip pip install pyasn1==0.2.3 pip install pyasn1-modules==0.0.9 After that, installation is able to proceed with letsencrypt certificates passed in. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1785157 Title: external (letsencrypt) certs failing to parse due to pyasn1 Status in freeipa package in Ubuntu: New Bug description: attempting a clean installation of freeipa-server on bionic using letsencrypt certs passed as arguments fails with an error similar to: not in asn1Spec: encoding iso-8859-1> The ipa-server-certinstall command failed I was able to bypass this by downgrading pyasn1 and pyasn1-modules: rm -rf /usr/lib/python2.7/dist-packages/pyasn1 rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/ rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info apt install python-pip pip install pyasn1==0.2.3 pip install pyasn1-modules==0.0.9 After that, installation is able to proceed with letsencrypt certificates passed in. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1785157/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: In Progress Status in freeipa source package in Bionic: Confirmed Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
@ahasenack is correct.
@racb, this bug is fixed in the sense that I found the appropriate
patches missing from bind9, and the staging version that @tjaalton built
and uploaded stops the crashes.
This is the patch applied
https://pagure.io/fedora-bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
** Changed in: bind9 (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - named-pkcs11 fails to run
Status in bind9 package in Ubuntu:
Confirmed
Status in freeipa package in Ubuntu:
Confirmed
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
> Looks like bind9 is fixed! Install completes with no issues and named-
pks11 runs without crashing.
Great! Thank you for the report.
I'm not sure this bug was ever clear on exactly what the problem was
with bind9, in terms of bind9. And if it is now fixed, I don't know when
it was fixed. So I'll mark the bind9 task Incomplete for now. If someone
wants to describe the bind9 bug in terms of bind9 itself, and/or
describe when it was fixed, we can update the status appropriately.
** Changed in: bind9 (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - named-pkcs11 fails to run
Status in bind9 package in Ubuntu:
Incomplete
Status in freeipa package in Ubuntu:
Confirmed
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
