Debian
nss package

ipa-client-install fails at certutil stage because /etc/pki doesn't exist

Bug #1024765 reported by Stephan Rügamer
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Timo Aaltonen
nss (Debian)
Confirmed
Unknown
nss (Ubuntu)
Fix Released
High
Timo Aaltonen

Bug Description

Dear Colleagues,

ipa-client-install fails at the import stage of the freeipa server cert.

Created /etc/ipa/default.conf
New SSSD config will be created.
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1292, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1279, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1124, in install
    run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
  File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run
    raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255

It looks like the patch create_client_dirs.patch needs to be refreshed to:

1. check if /etc/pki exists
2. if not, create it

this is important especially for debian and ubuntu, because /etc/pki is/was fedora/rhel specific

Regards,

\sh

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Well

this patch is not the right location.

We should create this directory in debian/rules

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

The attached branch has the right bugfix.

I tested in on my local installations and it works like a charm.
Certutil call of ipa-client-install won't fail anymore on this missing directory.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Thanks for the patch. Unfortunately, I'm afraid that can't be added to the freeipa packaging since it really belongs in nss, see Debian bug 537866:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537866

Changed in freeipa (Ubuntu):
assignee: nobody → Timo Aaltonen (tjaalton)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

nss should create the nssdb hierarchy

Changed in nss (Ubuntu):
importance: Undecided → High
status: New → Confirmed
summary: ipa-client-install failes at certutil stage because /etc/pki doesn't
- exists
+ exist
Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Unknown → Confirmed
Revision history for this message
Stephan Rügamer (sruegamer) wrote : Re: ipa-client-install failes at certutil stage because /etc/pki doesn't exist

What do you think we can have a fix for this from debian, or should we go ahead and do it on ubuntu first?

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Preferably in debian first, since I'm not sure what possible issues it might bring. Need to discuss it with Mike.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I've got a patch that generates empty db's during package build, need to polish it and send to debian.

Changed in nss (Ubuntu):
assignee: nobody → Timo Aaltonen (tjaalton)
status: Confirmed → In Progress
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

uploaded a new nss to the freeipa ppa that adds support for nssdb:

https://launchpad.net/~freeipa/+archive/ppa

only for precise, guess that's what people are testing with.. so please test if it works with ipa-client-install.

Changed in nss (Ubuntu):
status: In Progress → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in freeipa (Ubuntu):
status: New → Confirmed
Timo Aaltonen (tjaalton)
summary: - ipa-client-install failes at certutil stage because /etc/pki doesn't
+ ipa-client-install fails at certutil stage because /etc/pki doesn't
exist
Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Fix Released → Confirmed
Revision history for this message
dylan@techtangents.com (dylan-q) wrote :

Hi,

When will we see this bug fix in ubuntu?

Thanks!

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

it's actually fixed in trusty

Changed in nss (Ubuntu):
status: Incomplete → Fix Released
Changed in freeipa (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

@Timo: This fix in trusty is good, but doesn't help.
The ipa-client after 12.04 LTS are not compatible anymore with the working IPA server from RHEL.
This client can't talk to an older IPA master server....so 12.04 LTS is still stucked.

RH doesn't plan to update IPA Server to a new version.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

nothing I can do about that

but you should be able to pass options to ipa-client-install to disable the new features

Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Fix Released → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.