[Freeipa] [Bug 1785157] [NEW] external (letsencrypt) certs failing to parse due to pyasn1
Public bug reported: attempting a clean installation of freeipa-server on bionic using letsencrypt certs passed as arguments fails with an error similar to: not in asn1Spec: encoding iso-8859-1> The ipa-server-certinstall command failed I was able to bypass this by downgrading pyasn1 and pyasn1-modules: rm -rf /usr/lib/python2.7/dist-packages/pyasn1 rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/ rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info apt install python-pip pip install pyasn1==0.2.3 pip install pyasn1-modules==0.0.9 After that, installation is able to proceed with letsencrypt certificates passed in. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1785157 Title: external (letsencrypt) certs failing to parse due to pyasn1 Status in freeipa package in Ubuntu: New Bug description: attempting a clean installation of freeipa-server on bionic using letsencrypt certs passed as arguments fails with an error similar to: not in asn1Spec: encoding iso-8859-1> The ipa-server-certinstall command failed I was able to bypass this by downgrading pyasn1 and pyasn1-modules: rm -rf /usr/lib/python2.7/dist-packages/pyasn1 rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/ rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info apt install python-pip pip install pyasn1==0.2.3 pip install pyasn1-modules==0.0.9 After that, installation is able to proceed with letsencrypt certificates passed in. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1785157/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: In Progress Status in freeipa source package in Bionic: Confirmed Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
@ahasenack is correct. @racb, this bug is fixed in the sense that I found the appropriate patches missing from bind9, and the staging version that @tjaalton built and uploaded stops the crashes. This is the patch applied https://pagure.io/fedora-bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master ** Changed in: bind9 (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Confirmed Status in freeipa package in Ubuntu: Confirmed Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
> Looks like bind9 is fixed! Install completes with no issues and named- pks11 runs without crashing. Great! Thank you for the report. I'm not sure this bug was ever clear on exactly what the problem was with bind9, in terms of bind9. And if it is now fixed, I don't know when it was fixed. So I'll mark the bind9 task Incomplete for now. If someone wants to describe the bind9 bug in terms of bind9 itself, and/or describe when it was fixed, we can update the status appropriately. ** Changed in: bind9 (Ubuntu) Status: Triaged => Incomplete -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Incomplete Status in freeipa package in Ubuntu: Confirmed Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp