Re: [Freeipa-users] a fix - fedora domain vs rhel domain
On 01/07/2015 04:42 PM, Janelle wrote: > Indeed you are correct - it was NOT the problem. Good! > Double checking the logs - > showed an old ca.crt file from a previous install (something that should be > done in the "uninstall" jobs - remove ALL the old folders, including /etc/ipa > which has old certs, etc.) The certificate is supposed to be removed during client uninstall, since FreeIPA 3.2. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3537 If you reproduce the problem with current versions, it is a bug... > Thanks for the tip to look elsewhere - I made a bad assumption. > Janelle > > > On 1/7/15 7:19 AM, Martin Kosek wrote: >> On 01/07/2015 02:51 PM, Janelle wrote: >>> Hello fellow IPAers >>> >>> I know this has been written about before - the python scripts and >>> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a >>> permanent fix yet? I continue to run into it during installs and have to >>> edit >>> python files to get the client install to not error out duruing the server >>> install. This is of course with CentOS 7 and IPA 4.1.2. >>> >>> Any options/comments? >>> Thank you >>> Janelle >>> >>> >>> (install snippet) >>> Done. >>> Restarting the directory server >>> Restarting the KDC >>> Restarting the certificate server >>> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db >>> Restarting the web server >>> Configuration of client side components failed! >>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' >>> '--on-master' '--unattended' '--domain' 'another.com' '--server' >>> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' >>> returned non-zero exit status 1 >>> >> Hi Janelle, >> >> Yes, this should have been resolved in >> https://fedorahosted.org/freeipa/ticket/4562 >> CCing Jan. >> >> Are you sure it is caused by this problem? Can you add a snippet of the >> ipaclient-install.log with the actual failures? Your install snippet does not >> help that much. >> >> Can you please also check that you have the right FreeIPA platform file >> loaded? >> At least giving us output from this grep should help: >> >> $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py >> >> Thanks, >> Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] a fix - fedora domain vs rhel domain
Here is the snippet with the error: 2015-01-07T14:04:57Z DEBUG Adding CA certificates to the IPA NSS database. 2015-01-07T14:04:57Z DEBUG Starting external process 2015-01-07T14:04:57Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C' 2015-01-07T14:04:57Z DEBUG Process finished, return code=0 2015-01-07T14:04:57Z DEBUG stdout= 2015-01-07T14:04:57Z DEBUG stderr= 2015-01-07T14:04:57Z DEBUG Starting external process 2015-01-07T14:04:57Z DEBUG args='/usr/bin/update-ca-trust' 2015-01-07T14:04:58Z DEBUG Process finished, return code=1 2015-01-07T14:04:58Z DEBUG stdout= 2015-01-07T14:04:58Z DEBUG stderr=p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute p11-kit: failed to find certificates: The device is invalid or unrecognizable 2015-01-07T14:04:58Z ERROR Could not update systemwide CA trust database: Command ''/usr/bin/update-ca-trust'' returned non-zero exit status 1 2015-01-07T14:04:58Z DEBUG Attempting to add CA certificates to the default NSS database. 2015-01-07T14:04:58Z DEBUG Starting external process 2015-01-07T14:04:58Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C' 2015-01-07T14:04:58Z DEBUG Process finished, return code=255 2015-01-07T14:04:58Z DEBUG stdout= 2015-01-07T14:04:58Z DEBUG stderr=certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. 2015-01-07T14:04:58Z ERROR Failed to add ANOTHER.COM IPA CA to the default NSS database. 2015-01-07T14:04:58Z WARNING Installation failed. As this is IPA server, changes will not be rolled back. On 1/7/15 7:19 AM, Martin Kosek wrote: On 01/07/2015 02:51 PM, Janelle wrote: Hello fellow IPAers I know this has been written about before - the python scripts and fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a permanent fix yet? I continue to run into it during installs and have to edit python files to get the client install to not error out duruing the server install. This is of course with CentOS 7 and IPA 4.1.2. Any options/comments? Thank you Janelle (install snippet) Done. Restarting the directory server Restarting the KDC Restarting the certificate server Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'another.com' '--server' 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' returned non-zero exit status 1 Hi Janelle, Yes, this should have been resolved in https://fedorahosted.org/freeipa/ticket/4562 CCing Jan. Are you sure it is caused by this problem? Can you add a snippet of the ipaclient-install.log with the actual failures? Your install snippet does not help that much. Can you please also check that you have the right FreeIPA platform file loaded? At least giving us output from this grep should help: $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] a fix - fedora domain vs rhel domain
Indeed you are correct - it was NOT the problem. Double checking the logs - showed an old ca.crt file from a previous install (something that should be done in the "uninstall" jobs - remove ALL the old folders, including /etc/ipa which has old certs, etc.) Thanks for the tip to look elsewhere - I made a bad assumption. Janelle On 1/7/15 7:19 AM, Martin Kosek wrote: On 01/07/2015 02:51 PM, Janelle wrote: Hello fellow IPAers I know this has been written about before - the python scripts and fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a permanent fix yet? I continue to run into it during installs and have to edit python files to get the client install to not error out duruing the server install. This is of course with CentOS 7 and IPA 4.1.2. Any options/comments? Thank you Janelle (install snippet) Done. Restarting the directory server Restarting the KDC Restarting the certificate server Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'another.com' '--server' 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' returned non-zero exit status 1 Hi Janelle, Yes, this should have been resolved in https://fedorahosted.org/freeipa/ticket/4562 CCing Jan. Are you sure it is caused by this problem? Can you add a snippet of the ipaclient-install.log with the actual failures? Your install snippet does not help that much. Can you please also check that you have the right FreeIPA platform file loaded? At least giving us output from this grep should help: $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] a fix - fedora domain vs rhel domain
On 01/07/2015 02:51 PM, Janelle wrote: > Hello fellow IPAers > > I know this has been written about before - the python scripts and > fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a > permanent fix yet? I continue to run into it during installs and have to edit > python files to get the client install to not error out duruing the server > install. This is of course with CentOS 7 and IPA 4.1.2. > > Any options/comments? > Thank you > Janelle > > > (install snippet) > Done. > Restarting the directory server > Restarting the KDC > Restarting the certificate server > Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db > Restarting the web server > Configuration of client side components failed! > ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' > '--on-master' '--unattended' '--domain' 'another.com' '--server' > 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com'' > returned non-zero exit status 1 > Hi Janelle, Yes, this should have been resolved in https://fedorahosted.org/freeipa/ticket/4562 CCing Jan. Are you sure it is caused by this problem? Can you add a snippet of the ipaclient-install.log with the actual failures? Your install snippet does not help that much. Can you please also check that you have the right FreeIPA platform file loaded? At least giving us output from this grep should help: $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project