[Freeipa-users] Python IndexError: list index out of range with ipa-server-install --external-cert-file

Gilbert Wilson gil at omnigroup.com
Thu Nov 19 23:19:41 UTC 2015 

> On Nov 4, 2015, at 5:49 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
> Gilbert Wilson wrote:
>> Apologies ahead of time as this is my first post to the list and interaction with the FreeIPA project. If I should be taking this question to a different forum please point me in the right direction!
>> 
>> The error condition I知 encountering is mentioned a few times on the list, but the threads die off without any conclusions. The most recent mention of it that I could find is here:
>> 
>> https://www.redhat.com/archives/freeipa-users/2015-March/msg00271.html
>> 
>> It also looks like this has shown up as a bug that was fixed here:
>> 
>> https://fedorahosted.org/freeipa/ticket/4397
>> 
>> I知 using CentOS Linux release 7.1.1503 (Core) system running FreeIPA VERSION: 4.1.0, API_VERSION: 2.112.
>> 
>> The error happens when attempting to finish an ipa-server-install using a cert signed by an external CA:
>> 
>> 	ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem
>> 
>> The install proceeds as normal, but then when trying to create the RA certificate it errors out with:
>> 
>> ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>> [root at ipa ‾]# ipa         : DEBUG    stderr=
>> all/cainstance.py", line 520, in configure_instance
>>    self.start_creation(runtime=210)
>> 
>>  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
>>    run_step(full_msg, method)
>> 
>>  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
>>    method()
>> 
>>  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1149, in __request_ra_certificate
>>    self.requestId = item_node[0].childNodes[0].data
>> 
>> ipa         : DEBUG    The ipa-server-install command failed, exception: IndexError: list index out of range
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> IndexError: list index out of range
>> 
>> Unlike the bug and thread I linked to above we are not using a Windows CA. Our CA is based on openssl. Since I知 fairly new to FreeIPA I知 not sure what logs would be most helpful to troubleshoot, but my bumbling about seemed to indicate that the the error condition is in the server痴 xml-based web api request/response logic. I知 not sure if the error is localized to that part of the system or if there痴 some precondition that failed beforehand. The installation is left in a pretty broken/useless state. If I try to run `ipa-server-install -d --external-cert-file=/path/to/certificate.pem --external-cert-file=/path/to/certificate_authority.pem` again it instructs me that I have to run `ipa-server-install --external-ca` (essentially, start over from scratch). An aside question: is there some way to rerun the setup from where it broke down so that I don稚 have to bother our CA admin to sign my CSR each time? That said, I can reliably produce this error condition and am willing!
>  to put in
> some time to do data collection to track it down, and our CA admin is willing to humor me for a little while! But, where do I start? What information would be most useful to collect?
> 
> You're seeing a symptom, not the problem. You'd need to look at the
> install log referenced above plus the debug log somewhere in
> /var/log/pki/pki-ca/
> 
> And unfortunately right now you need to start over after a failed install.


Rob,

Thanks for the reply. It turns out that there were a couple things wrong, but the biggest one was that the certificate I was getting back from our CA had CA set to false! So yeeeaaahh… *facepalm* once I went on a detour of setting up my own offline root CA with openssl (a nice learning experience) the installation worked as expected.

The only thing I can think of on the FreeIPA side that would be helpful is an additional pre-test that read the external certificate and immediately errors out if it finds that basic constraints have been set to CA:false.

Gil


Gilbert Wilson
Systems Administrator
The Omni Group
+1 206-523-4152
+1 206-523-5896 (Fax)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/f12acc5b/attachment.sig>

More information about the Freeipa-users mailing list