[Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Rob Crittenden
rcritten at redhat.com
Fri Nov 8 14:18:52 UTC 2013
Andrea Bontempi wrote:
> Hi, i'm trying to install FreeIPA with external CA (again)
>
> Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA certificate from CA":
>
>> 2013-11-08T11:07:38Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
>> return_value = main_function()
>>
>> File "/usr/sbin/ipa-server-install", line 1096, in main
>> subject_base=options.subject)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance
>> self.start_creation(runtime=210)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation
>> method()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1089, in __request_ra_certificate
>> self.requestId = item_node[0].childNodes[0].data
>>
>> 2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range
>
> So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on the line 1089:
>
>> # Send the request to the CA
>> conn = httplib.HTTPConnection(
>> self.fqdn, self.dogtag_constants.UNSECURE_PORT)
>> params = urllib.urlencode({'profileId': 'caServerCert',
>> 'cert_request_type': 'pkcs10',
>> 'requestor_name': 'IPA Installer',
>> 'cert_request': csr,
>> 'xmlOutput': 'true'})
>> headers = {"Content-type": "application/x-www-form-urlencoded",
>> "Accept": "text/plain"}
>>
>> conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
>> res = conn.getresponse()
>> if res.status == 200:
>> data = res.read()
>> conn.close()
>> doc = xml.dom.minidom.parseString(data)
>> item_node = doc.getElementsByTagName("RequestId")
>> self.requestId = item_node[0].childNodes[0].data <-- exception: IndexError: list index out of range
>> doc.unlink()
>> self.requestId = self.requestId.strip()
>> if self.requestId is None:
>> raise RuntimeError("Unable to determine RA certificate requestId")
>
> I read the value of "data":
>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <XMLResponse>
>> <Status>1</Status>
>> <Error>Profile caServerCert Not Found</Error>
>> </XMLResponse>
>
> Can someone help me?
I'd check out the CA logs in /var/log/pki/pki-tomcat/ca for more
information.
rob
More information about the Freeipa-users
mailing list