[Freeipa-users] ipa-server-install IndexError: list index out of range

Rob Crittenden rcritten at redhat.com
Tue Feb 12 22:08:43 UTC 2013 

Chuck Lever wrote:
>
> On Feb 12, 2013, at 4:24 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Chuck Lever wrote:
>>> Hi-
>>>
>>> I'm new to FreeIPA.  I'm installing on an up-to-date Fedora 18 system from the freeipa packages available with Fedora 18.  When running ipa-server-install, the install process fails here:
>>>
>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>>>    [1/20]: creating certificate server user
>>>      ...
>>>    [15/20]: requesting RA certificate from CA
>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>> IndexError: list index out of range
>>>
>>> The tail of the installer log looks like this:
>>>
>>> Generating key.  This may take a few moments...
>>>
>>>
>>> 2013-02-12T21:04:46Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 617, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/sbin/ipa-server-install", line 986, in main
>>>      dm_password, subject_base=options.subject)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 621, in configure_instance
>>>      self.start_creation(runtime=210)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 358, in start_creation
>>>      method()
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1219, in __request_ra_certificate
>>>      self.requestId = item_node[0].childNodes[0].data
>>>
>>> 2013-02-12T21:04:46Z INFO The ipa-server-install command failed, exception: IndexError: list index out of range
>>>
>>>
>>> Is there a workaround or fix available?  I haven't found any relevant information via a web search, and a few searches on bugzilla.redhat.com have come up empty.
>>>
>>
>> We've seen just one other report of this and unfortunately the VM was removed before we could do a lot of diagnosis. What we saw was that certutil output garbage when requesting the RA admin certificate. Can you look in /var/log/ipaserver-install.log for the last certutil command? Does stdout contain a lot of garbage characters in it? It should consist of a base64-encoded CSR.
>
> 2013-02-12T21:04:29Z DEBUG   [15/20]: requesting RA certificate from CA
> 2013-02-12T21:04:29Z DEBUG Starting external process
> 2013-02-12T21:04:29Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -R -k
> rsa -g 2048 -s CN=IPA RA,O=1015GRANGER.NET -z /tmp/tmptIYFZ5 -a
> 2013-02-12T21:04:33Z DEBUG Process finished, return code=0
> 2013-02-12T21:04:33Z DEBUG stdout=^X^\<FB>^<^@^@^@^X^\<FB>^<^@^@^@^P-<85>^B^@^@^@^@^P-
> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@@^G <C1>8^?^@^@<C1>^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<98>^W<FB>^<^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@<F6><F5><D7><F7>Ƣ<87><C7><CA>^U<CE>^^<F0>6ĸ^L^R|<C0><D6><D3>=^^W^D^N
> <A1>^\=<9F><FE>^@^@^@^@^@^@^@^@q^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@^P<U+0084>^B^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^Y<85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>^A<C2>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>+<C1>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@<C1>^D^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<F0>*
> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><BD><84>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^!
 @^@^@^@^@`
^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
> 2013-02-12T21:04:33Z DEBUG stderr=
>
>
>> If so, what version of nss and nss-tools do you have installed?
>
>
> [root at forain ~]# yum info nss nss-tools
> Loaded plugins: langpacks, presto, refresh-packagekit
> Installed Packages
> Name        : nss
> Arch        : x86_64
> Version     : 3.14.2
> Release     : 2.fc18
> Size        : 2.5 M
> Repo        : installed
>  From repo   : updates
> Summary     : Network Security Services
> URL         : http://www.mozilla.org/projects/security/pki/nss/
> License     : MPLv2.0
> Description : Network Security Services (NSS) is a set of libraries designed to
>              : support cross-platform development of security-enabled client and
>              : server applications. Applications built with NSS can support SSL v2
>              : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
>              : v3 certificates, and other security standards.
>
> Name        : nss-tools
> Arch        : x86_64
> Version     : 3.14.2
> Release     : 2.fc18
> Size        : 1.7 M
> Repo        : installed
>  From repo   : updates
> Summary     : Tools for the Network Security Services
> URL         : http://www.mozilla.org/projects/security/pki/nss/
> License     : MPLv2.0
> Description : Network Security Services (NSS) is a set of libraries designed to
>              : support cross-platform development of security-enabled client and
>              : server applications. Applications built with NSS can support SSL v2
>              : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
>              : v3 certificates, and other security standards.
>              :
>              : Install the nss-tools package if you need command-line tools to
>              : manipulate the NSS certificate and key database.
>
> Available Packages
> Name        : nss
> Arch        : i686
> Version     : 3.14.2
> Release     : 2.fc18
> Size        : 833 k
> Repo        : updates/18/x86_64
> Summary     : Network Security Services
> URL         : http://www.mozilla.org/projects/security/pki/nss/
> License     : MPLv2.0
> Description : Network Security Services (NSS) is a set of libraries designed to
>              : support cross-platform development of security-enabled client and
>              : server applications. Applications built with NSS can support SSL v2
>              : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
>              : v3 certificates, and other security standards.
>
> [root at forain ~]#
>
> Hope this helps.
>
> --
> Chuck Lever
> chucklever[at]gmail[dot]com
>
>
>

Ok, easily reproduced with this version of nss. I filed 
https://bugzilla.redhat.com/show_bug.cgi?id=910584

For a workaround you might try to yum downgrade nss. You may need to 
downgrade several other subpackages as well like nss-tools and 
nss-sysinit depending on your install.

I think you can safely upgrade again once the install is complete.

rob

More information about the Freeipa-users mailing list