[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

2018-10-10 Thread Launchpad Bug Tracker 
** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/356439

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid
Status in bind9 source package in Bionic:
  In Progress

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

2018-10-10 Thread Andreas Hasenack 
I'll take care of this for bionic.

** Changed in: bind9 (Ubuntu Bionic)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: bind9 (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: bind9 (Ubuntu Bionic)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid
Status in bind9 source package in Bionic:
  In Progress

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute

[Freeipa] [Bug 1793994] Re: freeipa server upgrade fails trying to switch to authselect

2018-10-10 Thread Launchpad Bug Tracker 
This bug was fixed in the package freeipa - 4.7.1-1

---
freeipa (4.7.1-1) unstable; urgency=medium

  * New upstream release.
- fix-replicainstall.diff dropped, not applicable anymore
- ipa-httpd-pwdreader-force-fqdn.diff dropped, obsolete
- refresh patches
- server: drop ipa-replica-prepare
  * dont-migrate-to-authselect.diff We don't have authselect, so just
return true when trying to migrate to it. (LP: #1793994)
  * control: Move client dependency on chrony to recommends. (Closes:
#909803)
  * control: Build server on any arch again.
  * tests: Don't fail the tests, just dump the log if something goes
wrong.

 -- Timo Aaltonen   Tue, 09 Oct 2018 10:30:09 +0300

** Changed in: freeipa (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1793994

Title:
  freeipa server upgrade fails trying to switch to authselect

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  On upgrading freeipa using the staging ppa, I encountered the
  following failure:

  traceback:

  2018-09-03T17:46:05Z INFO [Migrating to authselect profile]
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
  2018-09-03T17:46:05Z DEBUG Starting external process
  2018-09-03T17:46:05Z DEBUG args=[None, 'select', 'sssd', '--force']
  2018-09-03T17:46:06Z DEBUG Process execution failed
  2018-09-03T17:46:06Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  2018-09-03T17:46:06Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 178, in execute
  return_value = self.run()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", 
line 52, in run
  server.upgrade()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
2103, in upgrade
  upgrade_configuration()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1982, in upgrade_configuration
  migrate_to_authselect()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1696, in migrate_to_authselect
  tasks.migrate_auth_configuration(statestore)
File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 
238, in migrate_auth_configuration
  ipautil.run(authselect_cmd)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 518, in 
run
  preexec_fn=preexec_fn)
File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
  errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
  raise child_exception

  2018-09-03T17:46:06Z DEBUG The ipa-server-upgrade command failed, exception: 
AttributeError: 'NoneType' object has no attribute 'rfind'
  2018-09-03T17:46:06Z ERROR Unexpected error - see /var/log/ipaupgrade.log for 
details:
  AttributeError: 'NoneType' object has no attribute 'rfind'
  2018-09-03T17:46:06Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information

  Looking through /usr/lib/python2.7/dist-
  packages/ipaplatform/debian/tasks.py, I note that debian doesn't use
  authconfig. Presuming (perhaps wrongly) that authselect is similarly
  inapplicable, I modified def migrate_to_authselect() in
  /usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py
  to just return. With this change, upgrade completed successfully. I'm
  not sure if this is the correct approach.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1793994/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp