View Issue Details

IDProjectCategoryView StatusLast Update
0016818CentOS-7ipapublic2019-12-11 14:57
Reportertobiasv 
PrioritynormalSeverityblockReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7.7.1908 (and 8)
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0016818: DEBUG The ipa-client-install command failed, exception: ScriptError:
DescriptionWhen running ipa-client-install, the installer fails whenever it checks the CA certificate.

I've installed two different instances of the ipa server, one with a dogtag CA, and one CA-less with a certificate I already had - it doesn't seem to make a difference to the ipa-client-install.

All IPs are statically configured, and the only DNS records available are A records for the FQDN of the IPA server and the FQDN of the clients.
Steps To Reproduce1. Run ipa-server-install as a ca-less install, or run it with dogtag CA, choose not to setup DNS and proceed with a normal installation - open all the relevant ports in the firewall, or disable the firewall completely.
2. On a different host, place the relevant ca.crt file in /etc/ipa/ca.crt
3. Provide the domain name of the IPA server (matching the DNS a record)
4. Provide the hostname of the IPA server (matching the DNS a record)

Alternatively:

1. Run ipa-server-install as a ca-less install, or run it with dogtag CA, choose not to setup DNS and proceed with a normal installation - open all the relevant ports in the firewall, or disable the firewall completely.
2. Provide the domain name of the IPA server (matching the DNS a record)
3. Provide the hostname of the IPA server (matching the DNS a record)
4. Receive warning about failure of autodiscover and proceed with fixed values
5. Press yes to continue to configure the system with these values
6. Supply the username admin
7. Supply the password used during the server install for the admin user
8. Receive an error about being unable to download CA cert from LDAP and say yes to download it from http

If following the first set of instructions, you will receive the following output:
Skip ipahost: cannot verify if this is an IPA server
Failed to verify that ipahost is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)

If following the second set of instructions, you will receive the following output:
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Problem with the SSL CA cert (path? access rights?)

Installation failed. Rolling back changes.
Additional InformationWhile the output is very similar above, when I log in the logfile, I get the following in both ScriptError exception possibly of the type CLIENT_INSTALL_ERROR - attached two text files with stacktraces.

Server:
CentOS 7.7.1908
ipa-server-4.6.5-11.el7.centos.x86_64
ipa-client-4.6.5-11.el7.centos.x86_64
389-ds-base-1.3.9.1-10.el7.x86_64
pki-ca-10.5.16-3.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
Kernel 5.2.20-1.el7.cp
Client:
CentOS 7.7.1908
ipa-client-4.6.5-11.el7.centos.x86_64
Kernel 5.2.20-1.el7.cp
TagsNo tags attached.
abrt_hash
URL

Activities

tobiasv

tobiasv

2019-12-11 10:12

reporter  

withcert (3,329 bytes)
2019-12-11T08:37:36Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 358, in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in validate
    for _nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 633, in _configure
    next(validator)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3668, in main
    install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2270, in install_check
    raise ScriptError(rval=CLIENT_INSTALL_ERROR)

2019-12-11T08:37:36Z DEBUG The ipa-client-install command failed, exception: ScriptError: 

withcert (3,329 bytes)
withoutcert (3,430 bytes)
2019-12-11T08:51:13Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 3670, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2391, in install
    _install(options)
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 2613, in _install
    raise ScriptError(rval=CLIENT_INSTALL_ERROR)

2019-12-11T08:51:13Z DEBUG The ipa-client-install command failed, exception: ScriptError: 

withoutcert (3,430 bytes)
tobiasv

tobiasv

2019-12-11 13:24

reporter   ~0035823

Reproduced with kernel 3.10.0-1062.1.2.el7.x86_64 on the client.

Supposedly it has nothing to do with the certificate? Even without placing the certificate in /etc/ipa - the second time I run the installer, I get the other output. So the first time I run the installer, it asks for a privileged user - but the second time it doesn't, it just fails. I presume it has stored some sort of Kerberos credentials that it can reuse the second time? Either way I don't get prompted for the credentials again (even after a reboot).
tobiasv

tobiasv

2019-12-11 14:57

reporter   ~0035824

' All IPs are statically configured, and the only DNS records available are A records for the FQDN of the IPA server and the FQDN of the clients.'

This turned out to be the problem - I ran a dryrun on the server and added the missing records to the DNS server and the client now installs. I guess this is resolved for me.

Issue History

Date Modified Username Field Change
2019-12-11 10:12 tobiasv New Issue
2019-12-11 10:12 tobiasv File Added: withcert
2019-12-11 10:12 tobiasv File Added: withoutcert
2019-12-11 13:24 tobiasv Note Added: 0035823
2019-12-11 14:57 tobiasv Note Added: 0035824