[Freeipa-users] ipa-server-install IndexError: list index out of range
Rob Crittenden
rcritten at redhat.com
Tue Feb 12 23:57:53 UTC 2013
Rob Crittenden wrote:
> Chuck Lever wrote:
>>
>> On Feb 12, 2013, at 4:24 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> Chuck Lever wrote:
>>>> Hi-
>>>>
>>>> I'm new to FreeIPA. I'm installing on an up-to-date Fedora 18
>>>> system from the freeipa packages available with Fedora 18. When
>>>> running ipa-server-install, the install process fails here:
>>>>
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>> minutes 30 seconds
>>>> [1/20]: creating certificate server user
>>>> ...
>>>> [15/20]: requesting RA certificate from CA
>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>> IndexError: list index out of range
>>>>
>>>> The tail of the installer log looks like this:
>>>>
>>>> Generating key. This may take a few moments...
>>>>
>>>>
>>>> 2013-02-12T21:04:46Z INFO File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>>>> 617, in run_script
>>>> return_value = main_function()
>>>>
>>>> File "/sbin/ipa-server-install", line 986, in main
>>>> dm_password, subject_base=options.subject)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 621, in configure_instance
>>>> self.start_creation(runtime=210)
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 358, in start_creation
>>>> method()
>>>>
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 1219, in __request_ra_certificate
>>>> self.requestId = item_node[0].childNodes[0].data
>>>>
>>>> 2013-02-12T21:04:46Z INFO The ipa-server-install command failed,
>>>> exception: IndexError: list index out of range
>>>>
>>>>
>>>> Is there a workaround or fix available? I haven't found any
>>>> relevant information via a web search, and a few searches on
>>>> bugzilla.redhat.com have come up empty.
>>>>
>>>
>>> We've seen just one other report of this and unfortunately the VM was
>>> removed before we could do a lot of diagnosis. What we saw was that
>>> certutil output garbage when requesting the RA admin certificate. Can
>>> you look in /var/log/ipaserver-install.log for the last certutil
>>> command? Does stdout contain a lot of garbage characters in it? It
>>> should consist of a base64-encoded CSR.
>>
>> 2013-02-12T21:04:29Z DEBUG [15/20]: requesting RA certificate from CA
>> 2013-02-12T21:04:29Z DEBUG Starting external process
>> 2013-02-12T21:04:29Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias
>> -f XXXXXXXX -R -k
>> rsa -g 2048 -s CN=IPA RA,O=1015GRANGER.NET -z /tmp/tmptIYFZ5 -a
>> 2013-02-12T21:04:33Z DEBUG Process finished, return code=0
>> 2013-02-12T21:04:33Z DEBUG
>> stdout=^X^\<FB>^<^@^@^@^X^\<FB>^<^@^@^@^P-<85>^B^@^@^@^@^P-
>> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>> ^@^@^@@^G
>> <C1>8^?^@^@<C1>^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<98>^W<FB>^<^@^@^@^@^@^@^@^@^@
>>
>> ^@^@^@^@^@^@^@^@^@^@<F6><F5><D7><F7>Ƣ<87><C7><CA>^U<CE>^^<F0>6ĸ^L^R|<C0><D6><D3>=^^W^D^N
>>
>> <A1>^\=<9F><FE>^@^@^@^@^@^@^@^@q^E^@^@^@^@^@^@<98>^W<FB>^<^@^@^@^P<U+0084>^B^@^@^@^@^@^@
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^Y<85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>^A<C2>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<F0>+<C1>_<^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^A
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@<B0>^@^@^@^@^@^@^@<C1>^D^@^@^@^@^@^@<98>^W<FB>^<^@^@^@<F0>*
>>
>> <85>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@<80><BD><84>^B^@^@^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@^@^@^@P^@^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@!
^!
>>
> @^@^@^@^@`
> ^B^@^@^@^@^@^@^P^B^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>>
>> 2013-02-12T21:04:33Z DEBUG stderr=
>>
>>
>>> If so, what version of nss and nss-tools do you have installed?
>>
>>
>> [root at forain ~]# yum info nss nss-tools
>> Loaded plugins: langpacks, presto, refresh-packagekit
>> Installed Packages
>> Name : nss
>> Arch : x86_64
>> Version : 3.14.2
>> Release : 2.fc18
>> Size : 2.5 M
>> Repo : installed
>> From repo : updates
>> Summary : Network Security Services
>> URL : http://www.mozilla.org/projects/security/pki/nss/
>> License : MPLv2.0
>> Description : Network Security Services (NSS) is a set of libraries
>> designed to
>> : support cross-platform development of security-enabled
>> client and
>> : server applications. Applications built with NSS can
>> support SSL v2
>> : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>> S/MIME, X.509
>> : v3 certificates, and other security standards.
>>
>> Name : nss-tools
>> Arch : x86_64
>> Version : 3.14.2
>> Release : 2.fc18
>> Size : 1.7 M
>> Repo : installed
>> From repo : updates
>> Summary : Tools for the Network Security Services
>> URL : http://www.mozilla.org/projects/security/pki/nss/
>> License : MPLv2.0
>> Description : Network Security Services (NSS) is a set of libraries
>> designed to
>> : support cross-platform development of security-enabled
>> client and
>> : server applications. Applications built with NSS can
>> support SSL v2
>> : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>> S/MIME, X.509
>> : v3 certificates, and other security standards.
>> :
>> : Install the nss-tools package if you need command-line
>> tools to
>> : manipulate the NSS certificate and key database.
>>
>> Available Packages
>> Name : nss
>> Arch : i686
>> Version : 3.14.2
>> Release : 2.fc18
>> Size : 833 k
>> Repo : updates/18/x86_64
>> Summary : Network Security Services
>> URL : http://www.mozilla.org/projects/security/pki/nss/
>> License : MPLv2.0
>> Description : Network Security Services (NSS) is a set of libraries
>> designed to
>> : support cross-platform development of security-enabled
>> client and
>> : server applications. Applications built with NSS can
>> support SSL v2
>> : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
>> S/MIME, X.509
>> : v3 certificates, and other security standards.
>>
>> [root at forain ~]#
>>
>> Hope this helps.
>>
>> --
>> Chuck Lever
>> chucklever[at]gmail[dot]com
>>
>>
>>
>
> Ok, easily reproduced with this version of nss. I filed
> https://bugzilla.redhat.com/show_bug.cgi?id=910584
>
> For a workaround you might try to yum downgrade nss. You may need to
> downgrade several other subpackages as well like nss-tools and
> nss-sysinit depending on your install.
>
> I think you can safely upgrade again once the install is complete.
I did some real quick smoke testing and this seems to work. I did:
# yum downgrade nss nss-*
# ipa-server-install ...
# yum update nss
This is with a dogtag CA. I didn't test a selfsign CA.
This was a single install.
Preparing a replica will fail with the error "Certificate issuance
failed" because of the certutil problem.
rob
More information about the Freeipa-users
mailing list