← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00197

[Bug 1024765] Re: ipa-client-install fails at certutil stage because /etc/pki doesn't exist

  Thread PreviousDate PreviousThread Next 
@Timo: This fix in trusty is good, but doesn't help.
The ipa-client after 12.04 LTS are not compatible anymore with the working IPA server from RHEL.
This client can't talk to an older IPA master server....so 12.04 LTS is still stucked.

RH doesn't plan to update IPA Server to a new version.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1024765

Title:
  ipa-client-install fails at certutil stage because /etc/pki doesn't
  exist

Status in “freeipa” package in Ubuntu:
  Fix Released
Status in “nss” package in Ubuntu:
  Fix Released
Status in “nss” package in Debian:
  Confirmed

Bug description:
  Dear Colleagues,

  ipa-client-install fails at the import stage of the freeipa server
  cert.

  Created /etc/ipa/default.conf
  New SSSD config will be created.
  Configured /etc/sssd/sssd.conf
  Traceback (most recent call last):
    File "/usr/sbin/ipa-client-install", line 1292, in <module>
      sys.exit(main())
    File "/usr/sbin/ipa-client-install", line 1279, in main
      rval = install(options, env, fstore, statestore)
    File "/usr/sbin/ipa-client-install", line 1124, in install
      run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
    File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run
      raise CalledProcessError(p.returncode, args)
  subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255

  
  It looks like the patch create_client_dirs.patch needs to be refreshed to:

  1. check if /etc/pki exists
  2. if not, create it

  this is important especially for debian and ubuntu, because /etc/pki
  is/was fedora/rhel specific

  Regards,

  \sh

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1024765/+subscriptions

References

  Thread PreviousDate PreviousThread Next