Please see IPA related ticket: https://fedorahosted.org/freeipa/ticket/6274 It looks for me the same issue as this reported in past: https://fedorahosted.org/pki/ticket/1702
"caIPAServiceCert" is default profile for IPA, should always exists.
This is reproducible in our CI test automation, it looks like dogtag is reporting that ready to serve, but when we execute ipa-replica-prepare too early, it fails with error "Profile caIPAserviceCert Not Found". Manually it works when delay between dogtag restart during ipa-server-install and ipa-replica-prepare is longer.
PS: we check dogtag status using http polling.
Per PKI Bug Council of 09/08/2016: 10.4 ("critical")
The issue is a bit different from #1702 - this time it is the DS restart causing LDAPProfileSubsystem to drop all its profiles and reload. At the time ipa-replica-prepare tries to issue the cert, profiles are still being (re)loaded and caIPAserviceCert hasn't been loaded yet.
Taking a lock when this condition is encountered should be sufficient to avoid the problem.
Moving priority to "minor" - this issue is being hit in CI but but only be hit in uncommon cases in production deployments... unless user has very unstable LDAP server but then they've got bigger problems :)
If you disagree with new priority let's continue discussion here or on pki-devel@.
Please return it back to critical / high. Every test in FreeIPA using replica preparation is affected and broken by this issue :(
Is there not a trivial workaround? (Wait a few seconds between ipa-server-install and ipa-replica-prepare). Let's split the difference and go with "major".
attachment pki-ftweedal-0134-Block-reads-during-reload-of-LDAP-based-profiles.patch
Per PKI Bug Council of 09/14/2016: 10.4.0
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1376226
Pushed to master (ced5cb71c1963d5234c2360d1f2ac11d4a452d9d)
We set 30 seconds sleep before replica prepare in tests, and it is not enough. Some tests are still randomly failing (but less number than before), sometime even manual testing needs more than 5 minutes to be able create replica file. It seems to me quite long time to just getting entries from LDAP, what is the recommended value for sleep? I'm afraid that with this patch IPA in future can start failing on error "failed to start CA", because we have there limit "just" 5 minutes. Even now the dogtag restart is the longest thing that happens during IPA installation.
So this state now it not good for automate provisioning nor manual installation.
Metadata Update from @mbasti: - Issue assigned to ftweedal - Issue set to the milestone: 10.4.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2573
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.