| 2018-05-06 09:47:48 |
Kees Bakker |
bug |
|
|
added bug |
| 2018-05-19 20:27:53 |
Launchpad Janitor |
freeipa (Ubuntu): status |
New |
Confirmed |
|
| 2018-05-21 16:27:53 |
gianluca |
bug |
|
|
added subscriber gianluca |
| 2018-05-23 14:31:17 |
Timo Aaltonen |
bug task added |
|
bind9 (Ubuntu) |
|
| 2018-05-23 14:32:59 |
Timo Aaltonen |
bind9 (Ubuntu): status |
New |
Triaged |
|
| 2018-05-23 14:34:18 |
Timo Aaltonen |
summary |
freeipa server install fails - Configuring the web interface, setting up ssl |
freeipa server install fails - named-pkcs11 fails to run |
|
| 2018-05-23 15:02:28 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2018-05-23 16:52:25 |
Timo Aaltonen |
freeipa (Ubuntu): importance |
Undecided |
High |
|
| 2018-05-28 12:46:26 |
Renat Galiev |
bug |
|
|
added subscriber Renat Galiev |
| 2018-06-19 12:49:39 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
| 2018-06-19 12:50:03 |
Andreas Hasenack |
bind9 (Ubuntu): importance |
Undecided |
High |
|
| 2018-06-23 18:17:15 |
Harry Coin |
bug |
|
|
added subscriber Harry Coin |
| 2018-06-24 23:35:25 |
Harry Coin |
attachment added |
|
fontawesome v4 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+attachment/5156225/+files/fontawesome4.bz |
|
| 2018-07-30 18:33:05 |
Gabriel A. Devenyi |
bug |
|
|
added subscriber Gabriel Devenyi |
| 2018-07-30 18:43:29 |
Gabriel A. Devenyi |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1410433 |
|
| 2018-08-02 12:27:12 |
Robie Basak |
bind9 (Ubuntu): status |
Triaged |
Incomplete |
|
| 2018-08-02 16:09:20 |
Gabriel A. Devenyi |
bind9 (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2018-08-13 12:49:27 |
Robie Basak |
tags |
|
server-next |
|
| 2018-08-24 18:31:26 |
Andreas Hasenack |
freeipa (Ubuntu): status |
Confirmed |
Invalid |
|
| 2018-08-24 18:31:38 |
Andreas Hasenack |
bug |
|
|
added subscriber Karl Stenerud |
| 2018-08-24 19:19:49 |
Ioan Rogers |
bug |
|
|
added subscriber Ioan Rogers |
| 2018-08-28 13:49:23 |
Karl Stenerud |
bind9 (Ubuntu): assignee |
|
Karl Stenerud (kstenerud) |
|
| 2018-08-29 20:49:25 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~kstenerud/ubuntu/+source/bind9/+git/bind9/+merge/354002 |
|
| 2018-08-29 20:58:43 |
Karl Stenerud |
description |
Setting up FreeIPA server fails at "Configuring the web interface", step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
... |
[Impact]
Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.
This patch, also applied in fedora, disables use of RTLD_DEEPBIND.
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
[Test Case]
# uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
# uvt-kvm wait cosmic-freeipa
# uvt-kvm ssh cosmic-freeipa
Inside vm:
# sudo su
# apt purge -y cloud-init
# echo "cosmic-freeipa.example.com" >/etc/hostname
# sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
# echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts
# apt update
# apt dist-upgrade -y
# reboot
# apt install -y freeipa-server
* Default Kerberos realm: EXAMPLE.COM
* Kerberos servers: cosmic-freeipa.example.com
* Administrative server: cosmic-freeipa.example.com
Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder
# ip addr
# ipa-server-install --allow-zone-overlap
* Do you want to configure integrated DNS (BIND): YES
* Server host name: cosmic-freeipa.example.com
* Please confirm the domain name: example.com
* Please provide a realm name: EXAMPLE.COM
* Directory Manager password: (anything)
* IPA admin password: (anything)
* Do you want to configure DNS forwarders: yes
* Do you want to configure these servers as DNS forwarders?: no
* Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before)
* Do you want to search for missing reverse zones?: yes
Installation should fail.
[Regression Potential]
In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries.
[Original Description]
Setting up FreeIPA server fails at "Configuring the web interface", step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
... |
|
| 2018-08-29 21:04:59 |
Karl Stenerud |
description |
[Impact]
Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.
This patch, also applied in fedora, disables use of RTLD_DEEPBIND.
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
[Test Case]
# uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
# uvt-kvm wait cosmic-freeipa
# uvt-kvm ssh cosmic-freeipa
Inside vm:
# sudo su
# apt purge -y cloud-init
# echo "cosmic-freeipa.example.com" >/etc/hostname
# sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
# echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts
# apt update
# apt dist-upgrade -y
# reboot
# apt install -y freeipa-server
* Default Kerberos realm: EXAMPLE.COM
* Kerberos servers: cosmic-freeipa.example.com
* Administrative server: cosmic-freeipa.example.com
Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder
# ip addr
# ipa-server-install --allow-zone-overlap
* Do you want to configure integrated DNS (BIND): YES
* Server host name: cosmic-freeipa.example.com
* Please confirm the domain name: example.com
* Please provide a realm name: EXAMPLE.COM
* Directory Manager password: (anything)
* IPA admin password: (anything)
* Do you want to configure DNS forwarders: yes
* Do you want to configure these servers as DNS forwarders?: no
* Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before)
* Do you want to search for missing reverse zones?: yes
Installation should fail.
[Regression Potential]
In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries.
[Original Description]
Setting up FreeIPA server fails at "Configuring the web interface", step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
... |
[Impact]
Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.
This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b
[Test Case]
# uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
# uvt-kvm wait cosmic-freeipa
# uvt-kvm ssh cosmic-freeipa
Inside vm:
# sudo su
# apt purge -y cloud-init
# echo "cosmic-freeipa.example.com" >/etc/hostname
# sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
# echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts
# apt update
# apt dist-upgrade -y
# reboot
# apt install -y freeipa-server
* Default Kerberos realm: EXAMPLE.COM
* Kerberos servers: cosmic-freeipa.example.com
* Administrative server: cosmic-freeipa.example.com
Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder
# ip addr
# ipa-server-install --allow-zone-overlap
* Do you want to configure integrated DNS (BIND): YES
* Server host name: cosmic-freeipa.example.com
* Please confirm the domain name: example.com
* Please provide a realm name: EXAMPLE.COM
* Directory Manager password: (anything)
* IPA admin password: (anything)
* Do you want to configure DNS forwarders: yes
* Do you want to configure these servers as DNS forwarders?: no
* Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before)
* Do you want to search for missing reverse zones?: yes
Installation should fail.
[Regression Potential]
In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries.
[Original Description]
Setting up FreeIPA server fails at "Configuring the web interface", step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
... |
|
| 2018-08-29 21:14:12 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-09-05 13:17:27 |
Launchpad Janitor |
bind9 (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2018-09-05 14:14:48 |
David Britton |
bug task added |
|
bind9 (Ubuntu Bionic) |
|
| 2018-09-05 14:14:48 |
David Britton |
bug task added |
|
freeipa (Ubuntu Bionic) |
|
| 2018-09-05 14:14:57 |
David Britton |
bug task deleted |
freeipa (Ubuntu Bionic) |
|
|
| 2018-09-23 19:48:49 |
Launchpad Janitor |
bind9 (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2018-10-10 17:26:20 |
Andreas Hasenack |
bind9 (Ubuntu Bionic): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2018-10-10 17:26:22 |
Andreas Hasenack |
bind9 (Ubuntu Bionic): importance |
Undecided |
High |
|
| 2018-10-10 17:26:25 |
Andreas Hasenack |
bind9 (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
| 2018-10-10 21:11:17 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/356439 |
|
| 2018-10-23 16:17:13 |
Timo Aaltonen |
bind9 (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2018-10-23 16:17:16 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-10-23 16:17:20 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2018-10-23 16:17:26 |
Timo Aaltonen |
tags |
server-next |
server-next verification-needed verification-needed-bionic |
|
| 2018-11-17 09:43:14 |
gianluca |
tags |
server-next verification-needed verification-needed-bionic |
server-next verification-done-bionic verification-needed |
|
| 2018-11-19 13:23:57 |
Launchpad Janitor |
bind9 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2018-11-19 13:24:05 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2018-12-11 17:24:42 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/360691 |
|
| 2018-12-11 17:26:02 |
Andreas Hasenack |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/360691 |
|
|
| 2018-12-13 21:42:49 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/360691 |
|
| 2019-03-19 17:18:44 |
Giovanni Vecchi |
bug |
|
|
added subscriber Giovanni Vecchi |
