[Freeipa-devel] master is broken on F18

Alexander Bokovoy abokovoy at redhat.com
Fri Mar 15 16:56:27 UTC 2013 

Hi!

I was investigating why installing master fails on F18 + updates-testing and found out that install fails with freeipa-server-3.1.99-0.20130313T1838Zgit158bf45.fc18.x86_64 from ipa-devel repo

2013-03-15T16:17:40Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -R -s CN=jano.ipa.team,O=IPA.TEAM -o /var/lib/ipa/ipa-aza7Wg/tmpcertreq -k rsa -g 2048 -z /etc/httpd/alias/noise.txt -f /etc/httpd/alias/pwdfile.txt -a
2013-03-15T16:17:41Z DEBUG Process finished, return code=0
2013-03-15T16:17:41Z DEBUG stdout=
2013-03-15T16:17:41Z DEBUG stderr=

Generating key.  This may take a few moments...


2013-03-15T16:17:41Z DEBUG request 'https://jano.ipa.team:8443/ca/ee/ca/profileSubmitSSLClient'
2013-03-15T16:17:41Z DEBUG request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICcDCCAVgCAQAwKzERMA8GA1UEChMISVBBLlRFQU0xFjAUBgNVBAMTDWphbm8u%0D%0AaXBhLnRlYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOaJLU2s6L%0D%0A5Dxvmmc8fNsYDV760P1zyK69NjcNgx1oeSLY97AgWHdLh6hihAChgHN5ZFI0paQl%0D%0A%2B2J9tED41JnUHrHjBaqivBzUpYNGeyjquGeqk8cB7owGR5Rylu%2FKeaCqR8r3Kzc5%0D%0AUuCyG%2FLjFlD%2FGCqjxuqmjyBfcZxXGz6L72DaB9IZq0uX6Q4rYbK7DzP3va1%2B4UnZ%0D%0AqqgHZwDe73TTjuw9PiKvSvI2ocHCk6ui4YT4qr1YOol7Z18woYIwnukHQygD1iAT%0D%0ApZzHZJ191XD0k5vD3wCaOGJsYGF4q1kPeFewBIB6fMuydWX09kVNgqiWmGcsz83o%0D%0ASQrLQNU72H5VAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAFyT4t5oH894tDfuP%0D%0Abf0dqkDA%2F%2Fk738MI98GyyciRDhFFr18YizBtWNOx8Bl8c28O4J2Y9N%2BkmA%2BzPsKm%0D%0AC1W3Np%2Bh%2BqY5lNgK9XfQU5RXmlqPcqz588mHQgzjxePQP7od4fOVbFV03CCXjb9G%0D%0AtovS6wRrq909IxWSQ%2BNFM4S0OogCClihCy0%2FyDylpn4pYOvJCFl5xfGO3o4vrZC9%0D%0AM5tGhUIeD7H2dvMApRFKu6N7xI%2BmHfYiCKWGl8i2Mo%2FmQRX5zaHAyzrNMgqO2lNm%0D%0AjR%2B8U0HJc%2B8ujeJq9JYCGFDpi3SW93U4E15pBHfwr31UWjtOiqgypBtUlVwdEKFu%0D%0A6QIHIA%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true'
2013-03-15T16:17:41Z DEBUG NSSConnection init jano.ipa.team
2013-03-15T16:17:41Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 612, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1088, in main
    http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 101, in create_instance
    self.start_creation(runtime=60)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 359, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 259, in __setup_ssl
    self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 565, in create_server_cert
    cdb.issue_server_cert(self.certreq_fname, self.certder_fname)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 661, in issue_server_cert
    self.secdir, password, "ipaCert", **params)

  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 236, in https_request
    'https', host, port, url, connection_factory, body)

  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 295, in _httplib_request
    raise NetworkError(uri=uri, error=str(e))

2013-03-15T16:17:41Z INFO The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://jano.ipa.team:8443/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

while installing a build before 4152c36 does not fail.

So, something from following patches fails:
$ git log --oneline 4152c36^..HEAD
8de6c3f Remove check for alphabetic only characters from domain name validation
c8846ba Improve some error handling in ipa-replica-manage
66356f0 Improve error messages for external group members
c4ab8da Do not force named connections on upgrades
7a2d380 Use tkey-gssapi-keytab in named.conf
ca6f7f2 Update named.conf parser
04a17f0 Enforce exact SID match when adding or modifying a ID range
354a5db Avoid multiple client discovery with fixed server list
452ffa1 Preserve order of servers in ipa-client-install
158bf45 Do not hide idrange-add errors when adding trust
dcc6f13 Use new 389-ds-base cleartext password API
99b62aa Remove implicit Str to DN conversion using *-attr
ade4aae Make sure uninstall script prompts for reboot as last
9005b9b Extend ipa-replica-manage to be able to manage DNA ranges.
63407ed Don't download the schema in ipadiscovery
cf4b521 Remove unneeded python-ldap imports
664248d Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
a024233 Use IPAdmin rather than raw python-ldap in ipa-client-install
91a63cc Remove ipaserver/ipaldap.py
4e6a2a9 Move ipaldap to ipapython
a38d93f Add support for re-enrolling hosts using keytab
91606e6 Change DNA magic value to -1 to make UID 999 usable
8d43235 Perform secondary rid range overlap check for local ranges only
6ff20ca Fix installing server with external CA
9955ba0 Disable schema retrieval and attribute decoding when talking to AD GC.
f423364 Allow disabling attribute decoding in LDAPClient and IPAdmin.
fffd2eb Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.
4152c36 Do not fail if schema cannot be retrieved from LDAP server.


Please note that it is reproducible -- Adam was able to generate the same exception in his OpenStack-based instance of F18+updates-testing.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list