** Description changed: + [Impact] + + Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. + + This patch, also applied in fedora, disables use of RTLD_DEEPBIND. + https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master + + [Test Case] + + # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily + # uvt-kvm wait cosmic-freeipa + # uvt-kvm ssh cosmic-freeipa + + Inside vm: + + # sudo su + # apt purge -y cloud-init + # echo "cosmic-freeipa.example.com" >/etc/hostname + # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts + # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts + # apt update + # apt dist-upgrade -y + # reboot + # apt install -y freeipa-server + + * Default Kerberos realm: EXAMPLE.COM + * Kerberos servers: cosmic-freeipa.example.com + * Administrative server: cosmic-freeipa.example.com + + Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder + # ip addr + + # ipa-server-install --allow-zone-overlap + + * Do you want to configure integrated DNS (BIND): YES + * Server host name: cosmic-freeipa.example.com + * Please confirm the domain name: example.com + * Please provide a realm name: EXAMPLE.COM + * Directory Manager password: (anything) + * IPA admin password: (anything) + * Do you want to configure DNS forwarders: yes + * Do you want to configure these servers as DNS forwarders?: no + * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) + * Do you want to search for missing reverse zones?: yes + + Installation should fail. + + + [Regression Potential] + + In theory, if another library with the exact same symbol is loaded, + bind9 may end up calling the wrong function. This is, however, a + potential problem with any program that loads shared libraries. + + + [Original Description] + Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) - [1/21]: stopping httpd - [2/21]: backing up ssl.conf - [3/21]: disabling nss.conf - [4/21]: configuring mod_ssl certificate paths - [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 - [6/21]: configuring mod_ssl log directory - [7/21]: disabling mod_ssl OCSP - [8/21]: adding URL rewriting rules - [9/21]: configuring httpd - [10/21]: setting up httpd keytab - [11/21]: configuring Gssproxy - [12/21]: setting up ssl - [error] RuntimeError: Certificate issuance failed (CA_REJECTED) + [1/21]: stopping httpd + [2/21]: backing up ssl.conf + [3/21]: disabling nss.conf + [4/21]: configuring mod_ssl certificate paths + [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 + [6/21]: configuring mod_ssl log directory + [7/21]: disabling mod_ssl OCSP + [8/21]: adding URL rewriting rules + [9/21]: configuring httpd + [10/21]: setting up httpd keytab + [11/21]: configuring Gssproxy + [12/21]: setting up ssl + [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): - File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation - run_step(full_msg, method) - File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step - method() - File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl - passwd_fname=key_passwd_file - File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert - raise RuntimeError("Certificate issuance failed ({})".format(state)) + File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation + run_step(full_msg, method) + File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step + method() + File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl + passwd_fname=key_passwd_file + File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert + raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ...
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
