[Freeipa-users] Python IndexError: list index out of range with ipa-server-install --external-cert-file

Gilbert Wilson gil at omnigroup.com
Wed Nov 4 05:35:42 UTC 2015 

Apologies ahead of time as this is my first post to the list and interaction with the FreeIPA project. If I should be taking this question to a different forum please point me in the right direction!

The error condition I’m encountering is mentioned a few times on the list, but the threads die off without any conclusions. The most recent mention of it that I could find is here:

https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html

It also looks like this has shown up as a bug that was fixed here:

https://fedorahosted.org/freeipa/ticket/4397

I’m using CentOS Linux release 7.1.1503 (Core) system running FreeIPA VERSION: 4.1.0, API_VERSION: 2.112.

The error happens when attempting to finish an ipa-server-install using a cert signed by an external CA:

	ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem

The install proceeds as normal, but then when trying to create the RA certificate it errors out with:

ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
Unexpected error - see /var/log/ipaserver-install.log for details:
IndexError: list index out of range
[root at ipa ~]# ipa         : DEBUG    stderr=
all/cainstance.py", line 520, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1149, in __request_ra_certificate
    self.requestId = item_node[0].childNodes[0].data

ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
Unexpected error - see /var/log/ipaserver-install.log for details:
IndexError: list index out of range

Unlike the bug and thread I linked to above we are not using a Windows CA. Our CA is based on openssl. Since I’m fairly new to FreeIPA I’m not sure what logs would be most helpful to troubleshoot, but my bumbling about seemed to indicate that the the error condition is in the server’s xml-based web api request/response logic. I’m not sure if the error is localized to that part of the system or if there’s some precondition that failed beforehand. The installation is left in a pretty broken/useless state. If I try to run `ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem` again it instructs me that I have to run `ipa-server-install --external-ca` (essentially, start over from scratch). An aside question: is there some way to rerun the setup from where it broke down so that I don’t have to bother our CA admin to sign my CSR each time? That said, I can reliably produce this error condition and am willing to put in some time to do data collection to track it down, and our CA admin is willing to humor me for a little while! But, where do I start? What information would be most useful to collect?

Thanks!

Gil

Gilbert Wilson
Systems Administrator
The Omni Group
+1 206-523-4152
+1 206-523-5896 (Fax)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151103/9063f874/attachment.sig>

More information about the Freeipa-users mailing list