[Freeipa-users] a fix - fedora domain vs rhel domain

Wed Jan 7 15:52:39 UTC 2015

Here is the snippet with the error:

2015-01-07T14:04:57Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:57Z DEBUG Process finished, return code=0
2015-01-07T14:04:57Z DEBUG stdout=
2015-01-07T14:04:57Z DEBUG stderr=
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-07T14:04:58Z DEBUG Process finished, return code=1
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=p11-kit: ipa.p11-kit: 
x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or 
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or 
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or 
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or 
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or 
unrecognizable

2015-01-07T14:04:58Z ERROR Could not update systemwide CA trust 
database: Command ''/usr/bin/update-ca-trust'' returned non-zero exit 
status 1
2015-01-07T14:04:58Z DEBUG Attempting to add CA certificates to the 
default NSS database.
2015-01-07T14:04:58Z DEBUG Starting external process
2015-01-07T14:04:58Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/pki/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:58Z DEBUG Process finished, return code=255
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=certutil: could not decode 
certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to 
import a cert with the same issuer/serial as an existing cert, but that 
is not the same cert.

2015-01-07T14:04:58Z ERROR Failed to add ANOTHER.COM IPA CA to the 
default NSS database.
2015-01-07T14:04:58Z WARNING Installation failed. As this is IPA server, 
changes will not be rolled back.

On 1/7/15 7:19 AM, Martin Kosek wrote:
> On 01/07/2015 02:51 PM, Janelle wrote:
>> Hello fellow IPAers
>>
>> I know this has been written about before - the python scripts and
>> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a
>> permanent fix yet? I continue to run into it during installs and have to edit
>> python files to get the client install to not error out duruing the server
>> install.  This is of course with CentOS 7 and IPA 4.1.2.
>>
>> Any options/comments?
>> Thank you
>> Janelle
>>
>> --------------------------------
>> (install snippet)
>> Done.
>> Restarting the directory server
>> Restarting the KDC
>> Restarting the certificate server
>> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db
>> Restarting the web server
>> Configuration of client side components failed!
>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>> '--on-master' '--unattended' '--domain' 'another.com' '--server'
>> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com''
>> returned non-zero exit status 1
>>
> Hi Janelle,
>
> Yes, this should have been resolved in
> https://fedorahosted.org/freeipa/ticket/4562
> CCing Jan.
>
> Are you sure it is caused by this problem? Can you add a snippet of the
> ipaclient-install.log with the actual failures? Your install snippet does not
> help that much.
>
> Can you please also check that you have the right FreeIPA platform file loaded?
> At least giving us output from this grep should help:
>
> $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py
>
> Thanks,
> Martin