[Freeipa-users] Bug in ipa-server-install

Rob Crittenden rcritten at redhat.com
Fri Sep 17 18:27:59 UTC 2010 

Marc Schlinger wrote:
> Hello all,
>
> I have juste spotted a bug during ipa server installation process
>
> While configuring the CA server the installation crash if the
> DirectoryManager password contains parenthesis "("
>
> The version I tried to install is
> ipa-server-1.9.0GITe42d3bc-0.ufo2.i686.rpm
>
>
> This is this command which failed with:
> -bash: syntax error near unexpected token `('
>
> java -cp
> /usr/share/java/silent.jar:/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/pki/certsrv.jar:/usr/share/java/pki/cmscore.jar:/usr/share/java/pki/nsutil.jar:/usr/share/java/pki/cmsutil.jar:/usr/share/java/pkitools.jar:/usr/share/java/cstools.jar:/usr/share/java/pki/cstools.jar:/usr/share/pki/classes:/usr/share/java/xml-commons-resolver.jar:/usr/share/java/xerces-j2.jar:/usr/lib/java/osutil.jar:
> ConfigureCA -cs_hostname ipa-server.beta.agorabox.org -cs_port 9445
> -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd XXXXXXX -preop_pin
> MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user admin -admin_email
> root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
> "CN=ipa-ca-agent,O=IPA" -ldap_host ipa-server.beta.agorabox.org
> -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA"
> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA"
> -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA"
> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA"
> -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external
> false -clone false
>
> Should't the passwords be quoted ?
>
> Thanks for all,
>
>
>
> Marc Schlinger
>
>
> # Installation output
>
> Directory Manager password:
> Password (confirm):
>
> The IPA server requires an administrative user, named 'admin'.
> This user is a regular system account used for IPA server administration.
>
> IPA admin password:
> Password (confirm):
>
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring directory server for the CA:
> [1/4]: creating directory server user
> [2/4]: creating directory server instance
> [3/4]: configuring directory to start on boot
> [4/4]: restarting directory server
> done configuring pkids.
> Configuring certificate server:
> [1/15]: creating certificate server user
> [2/15]: restarting certificate server
> [3/15]: configuring certificate server instance
> root : CRITICAL failed to restart ca instance Command '/usr/bin/perl
> /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-server.beta.agorabox.org
> -cs_port 9445 -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd
> XXXXXXXX -preop_pin MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user
> admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host
> ipa-server.beta.agorabox.org -ldap_port 7389 -bind_dn "cn=Directory
> Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
> -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA"
> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA"
> -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA"
> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA"
> -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external
> false -clone false' returned non-zero exit status 255
> [4/15]: restarting certificate server
> [5/15]: creating CA agent PKCS#12 file in /root
> Unexpected error - see ipaserver-install.log for details:
> Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d
> /tmp/tmp-PNQa1v -k /tmp/tmpCuiRb3 -w /tmp/tmpCuiRb3' returned non-zero
> exit status 24

Yes, I guess it wouldn't hurt to quote the passwords. We call exec() so 
avoid bash but it gets invoked later down the line by pkisilent so it 
gets interpreted. I'll open a ticket in our trac instance for this.

rob

More information about the Freeipa-users mailing list