[Freeipa-users] Python IndexError: list index out of range with ipa-server-install --external-cert-file

Rob Crittenden rcritten at redhat.com
Wed Nov 4 13:49:49 UTC 2015 

Gilbert Wilson wrote:
> Apologies ahead of time as this is my first post to the list and interaction with the FreeIPA project. If I should be taking this question to a different forum please point me in the right direction!
> 
> The error condition I’m encountering is mentioned a few times on the list, but the threads die off without any conclusions. The most recent mention of it that I could find is here:
> 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html
> 
> It also looks like this has shown up as a bug that was fixed here:
> 
> https://fedorahosted.org/freeipa/ticket/4397
> 
> I’m using CentOS Linux release 7.1.1503 (Core) system running FreeIPA VERSION: 4.1.0, API_VERSION: 2.112.
> 
> The error happens when attempting to finish an ipa-server-install using a cert signed by an external CA:
> 
> 	ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem
> 
> The install proceeds as normal, but then when trying to create the RA certificate it errors out with:
> 
> ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
> Unexpected error - see /var/log/ipaserver-install.log for details:
> IndexError: list index out of range
> [root at ipa ~]# ipa         : DEBUG    stderr=
> all/cainstance.py", line 520, in configure_instance
>     self.start_creation(runtime=210)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
>     run_step(full_msg, method)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
>     method()
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1149, in __request_ra_certificate
>     self.requestId = item_node[0].childNodes[0].data
> 
> ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
> Unexpected error - see /var/log/ipaserver-install.log for details:
> IndexError: list index out of range
> 
> Unlike the bug and thread I linked to above we are not using a Windows CA. Our CA is based on openssl. Since I’m fairly new to FreeIPA I’m not sure what logs would be most helpful to troubleshoot, but my bumbling about seemed to indicate that the the error condition is in the server’s xml-based web api request/response logic. I’m not sure if the error is localized to that part of the system or if there’s some precondition that failed beforehand. The installation is left in a pretty broken/useless state. If I try to run `ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem` again it instructs me that I have to run `ipa-server-install --external-ca` (essentially, start over from scratch). An aside question: is there some way to rerun the setup from where it broke down so that I don’t have to bother our CA admin to sign my CSR each time? That said, I can reliably produce this error condition and am willing!
  to put in
 some time to do data collection to track it down, and our CA admin is willing to humor me for a little while! But, where do I start? What information would be most useful to collect?

You're seeing a symptom, not the problem. You'd need to look at the
install log referenced above plus the debug log somewhere in
/var/log/pki/pki-ca/

And unfortunately right now you need to start over after a failed install.

rob

rob

More information about the Freeipa-users mailing list