[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
no, bind9 needs to be fixed instead, the way it's build got revamped in 9.11.3+dfsg-1 and I believe that's what broke it.. ** Also affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Changed in: bind9 (Ubuntu) Status: New => Triaged ** Summary changed: - freeipa server install fails - Configuring the web interface, setting up ssl + freeipa server install fails - named-pkcs11 fails to run -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
I think the my trick (copy /usr/sbin/named into /usr/sbin/named-pkcs11) works quite well. Not sure about the differences between named and named-pkcs11, but I think it is essentially the fact that named-pkcs11 supports cryptographic devices while plain named doesn't. In order to avoid /usr/sbin/named-pkcs11 to be rewritten during an update, you may want to use dpkg-divert. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Is there a recommended workaround? For example, install without DNS support and use a separate bind installation? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
For some reason, I have /usr/sbin/named in enforce mode by default (I am sure I did not change anything manually). Ubuntu 18.04 installed with an alternate CD on a KVM virtual machine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
only if you put it in enforce mode, it's in complain mode by default -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Maybe. Note that if you try to execute named directly (instead of named- pkcs11), it will fail since the AppArmor profile for named forbid the loading of the ldap plugin. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
interesting, maybe there's something wrong with bind9 build.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Any news on this bug? I discovered that if I replace /usr/sbin/named-pkcs11 with the /usr/sbin/named executable, everything seems to work fine. However, I do not know what are be the possible consequences of this change. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
lucky you Reading symbols from /usr/sbin/named-pkcs11...(no debugging symbols found)...done. I have all the dbgsym packages installed.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Installing libdns-export1100-dbgsym libdns1100-dbgsym libisc-export169-dbgsym helped. I now have debug symbols in view.c -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
No symbol info for the library :-( -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
I have debug symbols, I installed bind9-dbgsym libisc169-dbgsym, but you probably did that as well, right? Reading symbols from /usr/sbin/named-pkcs11...Reading symbols from /usr/lib/debug/.build- id/a6/b02914ac626d6db7786c640335d7e674d21dcc.debug...done. Not that it helped me any further without having looked at the named source code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
you need to prime it with the environment: SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf KRB5_KTNAME=/etc/bind/named.keytab gdb --args named-pkcs11 -g -u bind then the problem is that there are no debug symbols for named-pkcs11, not even in bind9-dbgsym and I've no idea why.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
@Timo what is the named command that you used to debug? I can't get named to produce the same error (at view.c:962) when I run it as follows (this is the command I found in the log): /usr/sbin/named-pkcs11 -f -u bind or /usr/sbin/named-pkcs11 -g -u bind It crashes at: 08-May-2018 07:07:41.154 ../../../lib/isc-pkcs11/md5.c:93: fatal error: 08-May-2018 07:07:41.154 RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 0) == 0) failed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Hi guys, I'm getting the same while installing on real hardware. The name server refuses to start up with the following error in the logs: ../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void *)0)) failed, back trace Using the server's FQDN. Installing on Ubuntu 18.04 using ipa-server-install --setup-dns. Here's the package version info: freeipa-server | 4.7.0~pre1+git20180411-2ubuntu2 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages bind9 | 1:9.11.3+dfsg-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages bind9-dyndb-ldap | 11.1-3ubuntu1 | http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
I mean the dns setup is known to be broken, I don't know why it gets an empty zone from ldap and reported it upstream but the next step would be to debug with gdb and I didn't get anywhere with it yet.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
When you said: "yep, that's a known issue" you referred to the non-FQDN. But the above error is after I corrected that. So, with a FQDN. BTW, I'm doing the install with --setup-dns. Is that what you do as well? At the end of the installation the nameserver (bind9-pkcs11) does not start anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Do you want me to create a bugreport for that non-FQDN? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
yep, that's a known issue, though it doesn't have a bug for it so maybe this should be it the installation shouldn't start if the hostname is not a FQDN though, so that's another bug then -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
In syslog there is this: May 6 20:18:01 usrv1 named-pkcs11[25219]: ../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void *)0)) failed, back trace May 6 20:18:01 usrv1 named-pkcs11[25219]: #0 0x55ceb0cb4cc0 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #1 0x7f4ae89007fa in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #2 0x7f4ae93122aa in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #3 0x55ceb0cd2a77 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #4 0x55ceb0c967d1 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #5 0x55ceb0cdf309 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #6 0x55ceb0ce0f33 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #7 0x7f4ae8927b59 in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #8 0x7f4ae7ea16db in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: #9 0x7f4ae75d588f in ?? May 6 20:18:01 usrv1 named-pkcs11[25219]: exiting (due to assertion failure) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
My hostname was not a FQDN. After I changed it to be FQDN, and made sure the entry is in /etc/hosts, the installation continues. However, there is still a problem. The nameserver fails to (re)start. Configuring DNS (named) [1/11]: generating rndc key file [2/11]: adding DNS container [3/11]: setting up our zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: adding NS record to the zones [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: setting up server configuration [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records ipapython.dnsutil: ERRORDNS query for usrv1.ijtest.nl. 1 failed: The DNS operation timed out after 30.000865221 seconds ipaserver.dns_data_management: ERRORunable to resolve host name usrv1.ijtest.nl. to IP address, ipa-ca DNS record will be incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
doesn't hurt to try on qemu/kvm or actual hw -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
I'm doing this in a LXC container. Could that be of influence? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
must be a race condition again, I can't reproduce it here -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
See also https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/comments/9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
