Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1455561

Summary: ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
Product: [Fedora] Fedora Reporter: Tomas Krizek <tkrizek>
Component: freeipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, awilliam, cheimes, dwmw2, frenaud, ipa-maint, jcholast, jhrozek, kparal, pvoborni, rcritten, rharwood, robatino, slaznick, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: freeipa-4.6.0-2.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-09 04:10:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396702    
Attachments:
Description Flags
ipa-server-install.log none

Description Tomas Krizek 2017-05-25 13:20:10 UTC 
Description of problem:
During ipa-server-install, RA certificate can't be obtained from CA and the installation fails with CA_UNREACHABLE error.


Version-Release number of selected component (if applicable):
freeipa-4.5.1-1.fc27


How reproducible:
deterministic


Steps to Reproduce:
1. ipa-server-install


Actual results:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: exporting Dogtag certificate store pin
  [3/29]: stopping certificate server instance to update CS.cfg
  [4/29]: backing up CS.cfg
  [5/29]: disabling nonces
  [6/29]: set up CRL publishing
  [7/29]: enable PKIX certificate path discovery and validation
  [8/29]: starting certificate server instance
  [9/29]: configure certmonger for renewals
  [10/29]: requesting RA certificate from CA
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)


Expected results:
IPA server installs without errors.


Additional info:
$ journalctl -u certmonger
certmonger[26286]: 2017-05-25 14:21:16 [26286] Error 58 connecting to https://vm.example.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate.
Comment 1 Tomas Krizek 2017-05-25 15:06:23 UTC 
freeipa-4.5.1-1.fc27 hasn't made it into the repos yet, but you can obtain the packages from koji

https://koji.fedoraproject.org/koji/taskinfo?taskID=19724696
Comment 2 Tomas Krizek 2017-05-25 15:10:34 UTC 
Created attachment 1282300 [details]
ipa-server-install.log
Comment 3 Tomas Krizek 2017-06-20 13:07:10 UTC 
This issue is still present in 4.5.2
Comment 4 Tomas Krizek 2017-06-28 12:59:41 UTC 
The installation fails when certmonger requests a RA certificate from CA. It seems there might be a problem with the certificate:


$ getcert list 

Request ID '20170628101216':
        status: CA_UNREACHABLE
        ca-error: Error 58 connecting to https://vm-169.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate.
---snip---


The issue doesn't seem to be in the dogtag component, since IPA installation works with pki-base-10.4.8-2.fc25.noarch works on Fedora 25.
Comment 5 Florence Blanc-Renaud 2017-06-28 16:52:12 UTC 
The CA helper dogtag-ipa-ca-renew-agent is using libcurl with a NSS db to provide the agent certificate, but in rawhide curl is built against OpenSSL instead of NSS. Because of this, the curl commands using a NSS db will fail:

$ curl -V
curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 OpenSSL/1.1.0f zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.23.1
Release-Date: 2017-06-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL 


In fedora 26, curl is built against NSS:
curl 7.53.1 (x86_64-redhat-linux-gnu) libcurl/7.53.1 NSS/3.29.3 zlib/1.2.11 libidn2/2.0.2 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.8.0 nghttp2/1.21.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink PSL
Comment 8 Petr Vobornik 2017-07-28 16:23:57 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7076
Comment 9 Jan Kurik 2017-08-15 07:39:49 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 10 Tomas Krizek 2017-08-18 09:37:21 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9c1ab3ca5015317091f40ac8c352823a75849cef
Comment 11 Adam Williamson 2017-08-31 21:00:47 UTC 
This is an obvious Fedora 27 Beta blocker, it prevents deployment of a release-blocking server role (domain controller).
Comment 12 Standa Laznicka 2017-09-01 06:16:30 UTC 
This is fixed in FreeIPA 4.6. We hope to release it soon.
Comment 13 Adam Williamson 2017-09-01 13:20:39 UTC 
Thanks. I've talked to ab about this at Flock, but for the public record: Fedora 27 Beta is very close (it's on an...aggressively accelerated schedule), so I'm slightly leery of landing another major release at this point. Of course, the fact that the current one has basically never worked makes it less of an obvious bad idea. So, just be aware that Beta freeze is at 00:00 on 2017-09-05, and Bodhi is active for F27 at this point. Beta go/no-go meeting is on 2017-09-14, which means we really need to have things working to the Beta requirements (more or less, basic FreeIPA functions should all work without major workarounds) by 2017-09-12 for Beta not to slip, everything has to go through Bodhi at this point, and anything that needs to go stable after 2017-09-05 00:00 (UTC) will need a freeze exception or blocker bug (of course, FreeIPA being clearly broken is always a blocker, but we need to jump through the blocker process hoops - I can assist with that if needed).

Thanks!
Comment 14 Standa Laznicka 2017-09-04 06:40:36 UTC 
Adam,

Thank for pointing out the dates. We eventually managed to release 4.6 last Friday and our guy should be pushing it to Bodhi any time today. This issue is fixed there, FreeIPA should be installable and the installer is running in Python 3. I should hope we did not introduce any new spectacular issues but... It's a new (kind of) major release.
Comment 15 Kamil Páral 2017-09-04 16:39:59 UTC 
Discussed during blocker review [1]:

AcceptedBlocker (Beta) - clear violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed..." for the release-blocking 'domain controller' role

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/
Comment 16 Fedora Update System 2017-09-05 00:58:53 UTC 
freeipa-4.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
Comment 17 Fedora Update System 2017-09-07 14:29:50 UTC 
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
Comment 18 Fedora Update System 2017-09-09 04:10:40 UTC 
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.