[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Do you want me to create a bugreport for that non-FQDN?
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
When you said: "yep, that's a known issue" you referred to the non-FQDN. But
the above
error is after I corrected that. So, with a FQDN.
BTW, I'm doing the install with --setup-dns. Is that what you do as well?
At the end of the installation the nameserver (bind9-pkcs11) does not start
anymore.
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
I mean the dns setup is known to be broken, I don't know why it gets an
empty zone from ldap and reported it upstream but the next step would be
to debug with gdb and I didn't get anywhere with it yet..
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1764744] Re: Support of freeipa-server for s390x
--- Comment From heinz-werner_se...@de.ibm.com 2018-05-07 07:35 EDT--- IBM bugzilla status closed; Fix Released, Follow-on problem tracked via https://bugzilla.linux.ibm.com/show_bug.cgi?id=167506 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744 ** Bug watch added: bugzilla.linux.ibm.com/ #167506 https://bugzilla.linux.ibm.com/show_bug.cgi?id=167506 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1764744 Title: Support of freeipa-server for s390x Status in Ubuntu on IBM z Systems: Fix Released Status in 389-ds-base package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Bug description: freeipa fails to configure on s390x. (Configuration being handled by the freeipa-server-install script)This script has two failure points. The first is below: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600634 describes a known bug but it was only resolved for x86_64. In the falling scenario the install log will have entries like the following: 2018-04-10T18:53:01Z DEBUG nsslapd-pluginenabled: 2018-04-10T18:53:01Z DEBUG on 2018-04-10T18:53:01Z DEBUG nsslapd-pluginpath: 2018-04-10T18:53:01Z DEBUG /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so 2018-04-10T18:53:01Z DEBUG nsslapd-pluginversion: 2018-04-10T18:53:01Z DEBUG 0.8 Obviously on s390x /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so will never be found. Now if I create a symbolic link with the above name that is linked to the same location but with s390x where x86_64 is located, the install will proceed past this failing location. The second failure point in the freeipa-server-install script is near the end, after the script has completed the freeipa-server-install and where it attempts to install the freeipa-client. The client install appears to fail because of a problem with certificates related to the server install. 2018-04-17T12:14:59Z ERROR Cannot connect to the server due to generic error: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) The above appears to be related to an issue with the key database # certutil -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # ipa cert-show 1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. # ipa user-add First name: Richard >>> First name: Leading and trailing spaces are not allowed First name: Richard Last name: Young User login [ryoung]: ryoung1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1764744/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769631] [NEW] freeipa-server installatio/configuration problem for s390x
You have been subscribed to a public bug: Problem desctriptin for following already Fix Releaed Bug: https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744 The package is still failing to configure root@fipas1:~# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [fipas1.rgy.net]: Warning: skipping DNS resolution of host fipas1.rgy.net The domain name has been determined based on the host name. Please confirm the domain name [rgy.net]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RGY.NET]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain rgy.net., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: no The IPA Master Server will be configured with: Hostname: fipas1.rgy.net IP address(es): 192.168.122.50 Domain name:rgy.net Realm name: RGY.NET The CA will be configured with: Subject DN: CN=Certificate Authority,O=RGY.NET Subject base: O=RGY.NET Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Synchronizing time Using default chrony configuration. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORInsufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@fipas1:~# I had run an apt update in advance of installing freeipa and after adding the canonical staging repository root@fipas1:~# apt update Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. root@fipas1:~# End of the install log contains 2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@RGY-NET.service'] 2018-04-26T14:31:25Z DEBUG Process finished, return code=0 2018-04-26T14:31:25Z DEBUG stdout=active 2018-04-26T14:31:25Z DEBUG stderr= 2018-04-26T14:31:25Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2018-04-26T14:31:25Z DEBUG waiting for port: 389 2018-04-26T14:31:25Z DEBUG SUCCESS: port: 389 2018-04-26T14:31:25Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/s
[Freeipa] [Bug 1769631] Re: freeipa-server installatio/configuration problem for s390x
** Package changed: linux (Ubuntu) => freeipa (Ubuntu) ** Tags added: s390x universe ** Summary changed: - freeipa-server installatio/configuration problem for s390x + freeipa-server installation/configuration problem on s390x ** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Changed in: ubuntu-z-systems Importance: Undecided => Medium -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769631 Title: freeipa-server installation/configuration problem on s390x Status in Ubuntu on IBM z Systems: New Status in freeipa package in Ubuntu: New Bug description: Problem desctriptin for following already Fix Releaed Bug: https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744 The package is still failing to configure root@fipas1:~# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [fipas1.rgy.net]: Warning: skipping DNS resolution of host fipas1.rgy.net The domain name has been determined based on the host name. Please confirm the domain name [rgy.net]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RGY.NET]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain rgy.net., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: no The IPA Master Server will be configured with: Hostname: fipas1.rgy.net IP address(es): 192.168.122.50 Domain name:rgy.net Realm name: RGY.NET The CA will be configured with: Subject DN: CN=Certificate Authority,O=RGY.NET Subject base: O=RGY.NET Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Synchronizing time Using default chrony configuration. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORInsufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@fipas1:~# I had run an apt update in advance of installing freeipa and after adding the canonical staging repository root@fipas1:~# apt update Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InR
[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL
For corosync the affected components are corosync-qnetd. I checked and without adaption on install they would be fine as they initialize a new DB and nowhere does anyone specify the type. But as with some other tools on an upgrade we have to assume that the old DBM format will be tried to be read as SQL and then fail. Worth to notice is that Fedora who started all of this in [1] in their NSS build still uses DBM as default :-) corosync 2.4.4-1 of 20th of April made corosync compatible with the nss change. They prefix all calls with dbm to stay compat until the upgrade is handled by upstream. So a merge of this or latter version will address this for corosync. Afterwards nss can be merged dropping the change of the default. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1747411 Title: Change of default database file format to SQL Status in certmonger package in Ubuntu: Fix Released Status in corosync package in Ubuntu: New Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Status in libapache2-mod-nss package in Ubuntu: Won't Fix Status in nss package in Ubuntu: New Bug description: nss in version 3.35 in upstream changed [2] the default file format [1] (if no explicit one is specified). For now we reverted that change in bug 1746947 until all packages depending on it are ready to work with that correctly. This bug here is about to track when the revert can be dropped. Therefore we list all known-to-be-affected packages and once all are resolved this can be dropped. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql [2]: https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu2 --- tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616) -- Timo Aaltonen Tue, 24 Apr 2018 23:47:45 +0300 ** Changed in: tomcat8 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL
Corosync is actually a sync for Cosmic, with all Delta dropped: * Merge with Debian unstable (LP: #1747411). Remaining changes: * Dropped Changes: - Properly restart corosync and pacemaker together (LP: #1740892) d/rules: pass --restart-after-upgrade to dh_installinit. (this is default in compat >=10, and the package is 11) - d/control: indicate this version breaks all older pacemaker, to force an upgrade of pacemaker. (Upgrades have gone through Bionic, so we can drop this now) - d/corosync.postinst: if flagged to do so by pacemaker, start pacemaker on upgrade. (Can be dropped after Bionic) - New upstream release 2.4.3 (now in Debian) - Drop upstreamed patches and refresh others. (now in Debian) To get a second opinion on that I opened: https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184 ** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1747411 Title: Change of default database file format to SQL Status in certmonger package in Ubuntu: Fix Released Status in corosync package in Ubuntu: New Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Status in libapache2-mod-nss package in Ubuntu: Won't Fix Status in nss package in Ubuntu: New Bug description: nss in version 3.35 in upstream changed [2] the default file format [1] (if no explicit one is specified). For now we reverted that change in bug 1746947 until all packages depending on it are ready to work with that correctly. This bug here is about to track when the revert can be dropped. Therefore we list all known-to-be-affected packages and once all are resolved this can be dropped. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql [2]: https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.
** Tags added: bionic -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1769545 Title: DerInput.getLength(): lengthTag=9, too big. Status in dogtag-pki package in Ubuntu: New Bug description: When using pkispawn with an external root CA the following error occurs. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. 2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Hi guys, I'm getting the same while installing on real hardware. The
name server refuses to start up with the following error in the logs:
../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void
*)0)) failed, back trace
Using the server's FQDN.
Installing on Ubuntu 18.04 using ipa-server-install --setup-dns. Here's the
package version info:
freeipa-server | 4.7.0~pre1+git20180411-2ubuntu2 |
http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
bind9 | 1:9.11.3+dfsg-1ubuntu1 | http://us.archive.ubuntu.com/ubuntu
bionic/main amd64 Packages
bind9-dyndb-ldap | 11.1-3ubuntu1 | http://us.archive.ubuntu.com/ubuntu
bionic/universe amd64 Packages
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - Configuring the web interface, setting
up ssl
Status in freeipa package in Ubuntu:
New
Bug description:
Setting up FreeIPA server fails at "Configuring the web interface",
step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The
ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
ipapython.admintool: ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
and in the log there is
2018-05-05T20:37:29Z DEBUG stderr=
2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl
2018-05-05T20:37:33Z DEBUG certmonger request is in state
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
2018-05-05T20:37:38Z DEBUG certmonger request is in state
dbus.String(u'CA_REJECTED', variant_level=1)
2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py",
line 376, in __setup_ssl
passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line
320, in request_and_wait_for_cert
raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
failed (CA_REJECTED)
2018-05-05T20:37:42Z DEBUG File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
ute
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769631] Re: freeipa-server installation/configuration problem on s390x
what do you have in /usr/lib/s390x-linux-gnu/sasl2 ? -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769631 Title: freeipa-server installation/configuration problem on s390x Status in Ubuntu on IBM z Systems: New Status in freeipa package in Ubuntu: New Bug description: Problem desctriptin for following already Fix Releaed Bug: https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744 The package is still failing to configure root@fipas1:~# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [fipas1.rgy.net]: Warning: skipping DNS resolution of host fipas1.rgy.net The domain name has been determined based on the host name. Please confirm the domain name [rgy.net]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RGY.NET]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain rgy.net., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: no The IPA Master Server will be configured with: Hostname: fipas1.rgy.net IP address(es): 192.168.122.50 Domain name:rgy.net Realm name: RGY.NET The CA will be configured with: Subject DN: CN=Certificate Authority,O=RGY.NET Subject base: O=RGY.NET Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Synchronizing time Using default chrony configuration. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORInsufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@fipas1:~# I had run an apt update in advance of installing freeipa and after adding the canonical staging repository root@fipas1:~# apt update Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. root@fipas1:~# End of the install log contains 2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@RGY-NET.service'] 2018-04-26T14:31:25Z DEBUG Proce
[Freeipa] [Bug 1769631] Comment bridged from LTC Bugzilla
--- Comment From ryou...@us.ibm.com 2018-05-07 18:43 EDT--- root@fipas1:/usr/lib/s390x-linux-gnu/sasl2# ls -la total 340 drwxr-xr-x 2 root root 4096 Apr 26 10:01 . drwxr-xr-x 39 root root 20480 Apr 26 10:23 .. lrwxrwxrwx 1 root root22 Feb 5 11:48 libanonymous.so -> libanonymous.so.2.0.25 lrwxrwxrwx 1 root root22 Feb 5 11:48 libanonymous.so.2 -> libanonymous.so.2.0.25 -rw-r--r-- 1 root root 18400 Feb 5 11:48 libanonymous.so.2.0.25 lrwxrwxrwx 1 root root20 Feb 5 11:48 libcrammd5.so -> libcrammd5.so.2.0.25 lrwxrwxrwx 1 root root20 Feb 5 11:48 libcrammd5.so.2 -> libcrammd5.so.2.0.25 -rw-r--r-- 1 root root 22520 Feb 5 11:48 libcrammd5.so.2.0.25 lrwxrwxrwx 1 root root22 Feb 5 11:48 libdigestmd5.so -> libdigestmd5.so.2.0.25 lrwxrwxrwx 1 root root22 Feb 5 11:48 libdigestmd5.so.2 -> libdigestmd5.so.2.0.25 -rw-r--r-- 1 root root 55656 Feb 5 11:48 libdigestmd5.so.2.0.25 lrwxrwxrwx 1 root root16 Feb 5 11:48 libgs2.so -> libgs2.so.2.0.25 lrwxrwxrwx 1 root root16 Feb 5 11:48 libgs2.so.2 -> libgs2.so.2.0.25 -rw-r--r-- 1 root root 34584 Feb 5 11:48 libgs2.so.2.0.25 lrwxrwxrwx 1 root root21 Feb 5 11:48 libgssapiv2.so -> libgssapiv2.so.2.0.25 lrwxrwxrwx 1 root root21 Feb 5 11:48 libgssapiv2.so.2 -> libgssapiv2.so.2.0.25 -rw-r--r-- 1 root root 35000 Feb 5 11:48 libgssapiv2.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 liblogin.so -> liblogin.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 liblogin.so.2 -> liblogin.so.2.0.25 -rw-r--r-- 1 root root 18400 Feb 5 11:48 liblogin.so.2.0.25 lrwxrwxrwx 1 root root17 Feb 5 11:48 libntlm.so -> libntlm.so.2.0.25 lrwxrwxrwx 1 root root17 Feb 5 11:48 libntlm.so.2 -> libntlm.so.2.0.25 -rw-r--r-- 1 root root 34792 Feb 5 11:48 libntlm.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 libplain.so -> libplain.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 libplain.so.2 -> libplain.so.2.0.25 -rw-r--r-- 1 root root 18400 Feb 5 11:48 libplain.so.2.0.25 lrwxrwxrwx 1 root root19 Feb 5 11:48 libsasldb.so -> libsasldb.so.2.0.25 lrwxrwxrwx 1 root root19 Feb 5 11:48 libsasldb.so.2 -> libsasldb.so.2.0.25 -rw-r--r-- 1 root root 26440 Feb 5 11:48 libsasldb.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 libscram.so -> libscram.so.2.0.25 lrwxrwxrwx 1 root root18 Feb 5 11:48 libscram.so.2 -> libscram.so.2.0.25 -rw-r--r-- 1 root root 38904 Feb 5 11:48 libscram.so.2.0.25 root@fipas1:/usr/lib/s390x-linux-gnu/sasl2# -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769631 Title: freeipa-server installation/configuration problem on s390x Status in Ubuntu on IBM z Systems: New Status in freeipa package in Ubuntu: New Bug description: Problem desctriptin for following already Fix Releaed Bug: https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796 https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744 The package is still failing to configure root@fipas1:~# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [fipas1.rgy.net]: Warning: skipping DNS resolution of host fipas1.rgy.net The domain name has been determined based on the host name. Please confirm the domain name [rgy.net]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RGY.NET]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain r
