Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1455561
Summary: | ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomas Krizek <tkrizek> | ||||
Component: | freeipa | Assignee: | Florence Blanc-Renaud <frenaud> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | abokovoy, awilliam, cheimes, dwmw2, frenaud, ipa-maint, jcholast, jhrozek, kparal, pvoborni, rcritten, rharwood, robatino, slaznick, ssorce, tkrizek | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | AcceptedBlocker | ||||||
Fixed In Version: | freeipa-4.6.0-2.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-09 04:10:40 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1396702 | ||||||
Attachments: |
|
Description
Tomas Krizek
2017-05-25 13:20:10 UTC
freeipa-4.5.1-1.fc27 hasn't made it into the repos yet, but you can obtain the packages from koji https://koji.fedoraproject.org/koji/taskinfo?taskID=19724696 Created attachment 1282300 [details]
ipa-server-install.log
This issue is still present in 4.5.2 The installation fails when certmonger requests a RA certificate from CA. It seems there might be a problem with the certificate: $ getcert list Request ID '20170628101216': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://vm-169.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate. ---snip--- The issue doesn't seem to be in the dogtag component, since IPA installation works with pki-base-10.4.8-2.fc25.noarch works on Fedora 25. The CA helper dogtag-ipa-ca-renew-agent is using libcurl with a NSS db to provide the agent certificate, but in rawhide curl is built against OpenSSL instead of NSS. Because of this, the curl commands using a NSS db will fail: $ curl -V curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 OpenSSL/1.1.0f zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.23.1 Release-Date: 2017-06-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL In fedora 26, curl is built against NSS: curl 7.53.1 (x86_64-redhat-linux-gnu) libcurl/7.53.1 NSS/3.29.3 zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.21.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink PSL Upstream ticket: https://pagure.io/freeipa/issue/7076 This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. Fixed upstream master: https://pagure.io/freeipa/c/9c1ab3ca5015317091f40ac8c352823a75849cef This is an obvious Fedora 27 Beta blocker, it prevents deployment of a release-blocking server role (domain controller). This is fixed in FreeIPA 4.6. We hope to release it soon. Thanks. I've talked to ab about this at Flock, but for the public record: Fedora 27 Beta is very close (it's on an...aggressively accelerated schedule), so I'm slightly leery of landing another major release at this point. Of course, the fact that the current one has basically never worked makes it less of an obvious bad idea. So, just be aware that Beta freeze is at 00:00 on 2017-09-05, and Bodhi is active for F27 at this point. Beta go/no-go meeting is on 2017-09-14, which means we really need to have things working to the Beta requirements (more or less, basic FreeIPA functions should all work without major workarounds) by 2017-09-12 for Beta not to slip, everything has to go through Bodhi at this point, and anything that needs to go stable after 2017-09-05 00:00 (UTC) will need a freeze exception or blocker bug (of course, FreeIPA being clearly broken is always a blocker, but we need to jump through the blocker process hoops - I can assist with that if needed). Thanks! Adam, Thank for pointing out the dates. We eventually managed to release 4.6 last Friday and our guy should be pushing it to Bodhi any time today. This issue is fixed there, FreeIPA should be installable and the installer is running in Python 3. I should hope we did not introduce any new spectacular issues but... It's a new (kind of) major release. Discussed during blocker review [1]: AcceptedBlocker (Beta) - clear violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed..." for the release-blocking 'domain controller' role [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/ freeipa-4.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3 389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3 389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |