[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Rob Crittenden rcritten at redhat.com
Fri Nov 8 14:18:52 UTC 2013 

Andrea Bontempi wrote:
> Hi, i'm trying to install FreeIPA with external CA (again)
>
> Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA certificate from CA":
>
>> 2013-11-08T11:07:38Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
>>     return_value = main_function()
>>
>>   File "/usr/sbin/ipa-server-install", line 1096, in main
>>     subject_base=options.subject)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance
>>     self.start_creation(runtime=210)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation
>>     method()
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1089, in __request_ra_certificate
>>     self.requestId = item_node[0].childNodes[0].data
>>
>> 2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range
>
> So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on the line 1089:
>
>>   # Send the request to the CA
>>   conn = httplib.HTTPConnection(
>>       self.fqdn, self.dogtag_constants.UNSECURE_PORT)
>>   params = urllib.urlencode({'profileId': 'caServerCert',
>>           'cert_request_type': 'pkcs10',
>>           'requestor_name': 'IPA Installer',
>>           'cert_request': csr,
>>           'xmlOutput': 'true'})
>>   headers = {"Content-type": "application/x-www-form-urlencoded",
>>              "Accept": "text/plain"}
>>
>>   conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
>>   res = conn.getresponse()
>>   if res.status == 200:
>>       data = res.read()
>>       conn.close()
>>       doc = xml.dom.minidom.parseString(data)
>>       item_node = doc.getElementsByTagName("RequestId")
>>       self.requestId = item_node[0].childNodes[0].data   <--  exception: IndexError: list index out of range
>>       doc.unlink()
>>       self.requestId = self.requestId.strip()
>>       if self.requestId is None:
>>           raise RuntimeError("Unable to determine RA certificate requestId")
>
> I read the value of "data":
>
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>> <XMLResponse>
>> <Status>1</Status>
>> <Error>Profile caServerCert Not Found</Error>
>> </XMLResponse>
>
> Can someone help me?

I'd check out the CA logs in /var/log/pki/pki-tomcat/ca for more 
information.

rob

More information about the Freeipa-users mailing list