We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows ipa-server-4.1.0-18.el7.x86_64.
On 3/11/15, 12:39 PM, "Dmitri Pal" <[email protected]> wrote: >On 03/11/2015 11:13 AM, Gould, Joshua wrote: >> We¹re trying to setup IPA with it acting as an intermediate CA against >>our >> test Active Directory environment. >> >> The first part goes well: >> >> # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n >> unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC >> --external-ca ‹external-ca-type=mscs >> >> We send our CSR off to our AD admin and he signs it on gives us the >>cert. >> We go to import the cert with: >> >> # ipa-server-install --external-cert-file=/root/ipa.crt >> >> It blows up when trying to create the RA cert. >> >> 2015-03-10T21:17:55Z DEBUG Process finished, return code=0 >> 2015-03-10T21:17:55Z DEBUG stdout= >> Certificate request generated by Netscape certutil >> Phone: (not specified) >> Common Name: IPA RA >> Email: (not specified) >> Organization: UNIX.TEST.OSUWMC >> State: (not specified) >> Country: (not specified) >> -----BEGIN NEW CERTIFICATE REQUEST----- >> MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE >> AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe >> PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ >> H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X >> GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW >> wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm >> FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F >> VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky >> jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp >> D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd >> xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH >> +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1 >> kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK >> xAmXvOg= >> -----END NEW CERTIFICATE REQUEST----- >> 2015-03-10T21:17:55Z DEBUG stderr= >> Generating key. This may take a few moments... >> 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last): >> File >>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 382, in start_creation >> run_step(full_msg, method) >> File >>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 372, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >> 1149, in __request_ra_certificate >> self.requestId = item_node[0].childNodes[0].data >> IndexError: list index out of range >> 2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of range >> 2015-03-10T21:17:55Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 646, in run_script >> return_value = main_function() >> File "/sbin/ipa-server-install", line 1170, in main >> ca_signing_algorithm=options.ca_signing_algorithm) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >> 520, in configure_instance >> self.start_creation(runtime=210) >> File >>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 382, in start_creation >> run_step(full_msg, method) >> File >>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 372, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >> 1149, in __request_ra_certificate >> self.requestId = item_node[0].childNodes[0].data >> 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed, >> exception: IndexError: list index out of range >> >> >> I¹ve looked at the debug log. I believe this is the part that¹s most >> helpful. >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: >> SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . . >> [10/Mar/2015:17:17:24][localhost-startStop-1]: >> SelfTestSubsystem::runSelfTestsAtStartup(): running "CAPresence" >> [10/Mar/2015:17:17:24][localhost-startStop-1]: >> SelfTestSubsystem::runSelfTestsAtStartup(): running >> "SystemCertsVerification" >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCerts() cert tag=signing >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname(): calling isCertValid() >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname() failed:caSigningCert cert-pki-ca >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F >>ai >> lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate >>verification >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCerts() cert tag=ocsp_signing >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname(): calling isCertValid() >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F >>ai >> lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate >> verification >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCerts() cert tag=sslserver >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname(): calling isCertValid() >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname() failed:Server-Cert cert-pki-ca >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F >>ai >> lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate >>verification >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCerts() cert tag=subsystem >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname(): calling isCertValid() >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname() failed:subsystemCert cert-pki-ca >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F >>ai >> lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate >>verification >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCerts() cert tag=audit_signing >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname(): calling isCertValid() >> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: >> verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=S >>uc >> cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate >> verification >> >> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: >> create() >> >>message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Fail >>ur >> e] self tests execution (see selftests.log for details) >> >> The selftests.log contradicts itself and I¹m not really sure where to >>look >> next. Any ideas? >> >> >> Joshua >> >> >> >Which version is it? >A similar problem have been seen with the early IPA 3.3 version and was >related to the format of the cert file returned by AD. AFAIR it contains >more certs that we expected. >Something along those lines. > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager IdM portfolio >Red Hat, Inc. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailma >n_listinfo_freeipa-2Dusers&d=AwIF-g&c=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8S >FEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24&m=h5oW5B694QIxIFZz30 >YpHYRTTf82-7TQJn-c3JZPMEI&s=bekc3w9LwD5vNCRvK7q44uOWht6TAjts5vO9uxCXsCo&e= > >Go to >https://urldefense.proofpoint.com/v2/url?u=http-3A__freeipa.org&d=AwIF-g&c >=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk >8zPbIs_SvJwojC24&m=h5oW5B694QIxIFZz30YpHYRTTf82-7TQJn-c3JZPMEI&s=5wQ5LeH20 >oFmoV1OwkXJQHYOm1ZZdUEe9uqwmJKSaCk&e= for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
