#5721 error installing ca-less replica with valid certificates
Closed: Duplicate None Opened 5 years ago by ofayans.

The following error is thrown at the attempt to install ca-less replica under domain level 1:[[BR]]
{{{


Part of the output skipped

[5/18]: enabling mod_nss renegotiate
[6/18]: adding URL rewriting rules
[7/18]: configuring httpd
[8/18]: setting up httpd keytab
[9/18]: setting up ssl
[error] NotFound: no such entry
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Steps to reproduce:

  1. Export the following environmental variables:
    • domain - domain name
    • server1 - master hostname
    • server2 - replica hostname
    • client - client hostname (any orbitrary hostname)
    • dbdir - name of the certificate database folder (will be created)
    • crl_path - a folder for crl files (will be created)
    • dirman_password
  2. Run the attached script to generate the set of certificates
  3. export server cert:[[BR]]
    {{{pk12util -o "server.p12" -n "ca1/server" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}}
  4. export pem file:[[BR]]
    {{{certutil -L -d "<dbdir>" -n "ca1" -a > root.pem}}}
  5. Copy over root.pem and server.p12 to the future master
  6. Install ca-less master with the following command:[[BR]]
    {{{ipa-server-install --http-cert-file server.p12 --dirsrv-cert-file server.p12 --ca-cert-file root.pem --ip-address <server_ip> -r <realm_name> -n <domain_name> -p <dirman_pass> -a <admin_pass> --setup-dns --forwarder <forwarder_ip> --domain-level 1 --http-pin <dirman_password> --dirsrv-pin <dirman_password> -U}}}
  7. Export replica cert:[[BR]]
    {{{pk12util -o "replica.p12" -n "ca1/replica" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}}[[BR]][[BR]]

and copy replica.p12 file over to future replica
8. run the following command on replica to install it:[[BR]]
{{{ipa-replica-install -p <dirman_password> -U --http-cert-file replica.p12 --dirsrv-cert-file replica.p12 --http-pin <dirman_password> --dirsrv-pin <dirman_password> -P admin -n <domain> -r <REALM>}}}
[[BR]]

Expected results:

The installation is successful[[BR]]

Actual results:

The installation fails. [[BR]]
[[BR]]
The installation log is attached


looks like a regression

based on

 File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 185, in install_http
3106        ca_is_configured=ca_is_configured, promote=promote)
3107      File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 190, in create_instance
3108        self.start_creation(runtime=60)
3109      File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 446, in start_creation
3110        run_step(full_msg, method)
3111      File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 436, in run_step
3112        method()
3113      File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 343, in __setup_ssl
3114        self.add_cert_to_service()
3115      File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 311, in add_cert_to_service
3116        entry = self.admin_conn.get_entry(dn)
3117      File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in get_entry
3118        size_limit=size_limit
3119      File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1382, in find_entries
3120        break
3121      File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
3122        self.gen.throw(type, value, traceback)
3123      File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 9

Closing it as a duplicate of #5789 - in both instances the http service entry is missing

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.3.2

4 years ago

Login to comment on this ticket.

Metadata