> On Nov 4, 2015, at 5:49 AM, Rob Crittenden wrote:
>
> Gilbert Wilson wrote:
>> Apologies ahead of time as this is my first post to the list and interaction
>> with the FreeIPA project. If I should be taking this question to a different
>> forum please point me in the right direction!
>>
>> The error condition I知 encountering is mentioned a few times on the list,
>> but the threads die off without any conclusions. The most recent mention of
>> it that I could find is here:
>>
>> https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html
>>
>> It also looks like this has shown up as a bug that was fixed here:
>>
>> https://fedorahosted.org/freeipa/ticket/4397
>>
>> I知 using CentOS Linux release 7.1.1503 (Core) system running FreeIPA
>> VERSION: 4.1.0, API_VERSION: 2.112.
>>
>> The error happens when attempting to finish an ipa-server-install using a
>> cert signed by an external CA:
>>
>> ipa-server-install -d --external-cert-file=/path/to/certificate.pem
>> --external-cert-file=/path/to/certificate_authority.pem
>>
>> The install proceeds as normal, but then when trying to create the RA
>> certificate it errors out with:
>>
>> ipa : DEBUGThe ipa-server-install command failed, exception:
>> IndexError: list index out of range
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>> [root@ipa ‾]# ipa : DEBUGstderr=
>> all/cainstance.py", line 520, in configure_instance
>>self.start_creation(runtime=210)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 382, in start_creation
>>run_step(full_msg, method)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 372, in run_step
>>method()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 1149, in __request_ra_certificate
>>self.requestId = item_node[0].childNodes[0].data
>>
>> ipa : DEBUGThe ipa-server-install command failed, exception:
>> IndexError: list index out of range
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>>
>> Unlike the bug and thread I linked to above we are not using a Windows CA.
>> Our CA is based on openssl. Since I知 fairly new to FreeIPA I知 not sure what
>> logs would be most helpful to troubleshoot, but my bumbling about seemed to
>> indicate that the the error condition is in the server痴 xml-based web api
>> request/response logic. I知 not sure if the error is localized to that part
>> of the system or if there痴 some precondition that failed beforehand. The
>> installation is left in a pretty broken/useless state. If I try to run
>> `ipa-server-install -d --external-cert-file=/path/to/certificate.pem
>> --external-cert-file=/path/to/certificate_authority.pem` again it instructs
>> me that I have to run `ipa-server-install --external-ca` (essentially, start
>> over from scratch). An aside question: is there some way to rerun the setup
>> from where it broke down so that I don稚 have to bother our CA admin to sign
>> my CSR each time? That said, I can reliably produce this error condition and
>> am willing!
> to put in
> some time to do data collection to track it down, and our CA admin is willing
> to humor me for a little while! But, where do I start? What information would
> be most useful to collect?
>
> You're seeing a symptom, not the problem. You'd need to look at the
> install log referenced above plus the debug log somewhere in
> /var/log/pki/pki-ca/
>
> And unfortunately right now you need to start over after a failed install.
Rob,
Thanks for the reply. It turns out that there were a couple things wrong, but
the biggest one was that the certificate I was getting back from our CA had CA
set to false! So yeeeaaahh… *facepalm* once I went on a detour of setting up my
own offline root CA with openssl (a nice learning experience) the installation
worked as expected.
The only thing I can think of on the FreeIPA side that would be helpful is an
additional pre-test that read the external certificate and immediately errors
out if it finds that basic constraints have been set to CA:false.
Gil
Gilbert Wilson
Systems Administrator
The Omni Group
+1 206-523-4152
+1 206-523-5896 (Fax)
signature.asc
Description: Message signed with OpenPGP using GPGMail
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project