#6207 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1358752

Description of problem:
After promoting IPA server from CA-less to CA-full, ipa-ca-install fails to
install CA on replica server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install IPA server

[root@ipamaster1 ca1]# ipa-server-install --ip-address $(ip addr|grep
"global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r testrelm.test -p
'Secret123' -a 'Secret123' --setup-dns --forwarder 10.65.201.89 -U
--dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin
Secret123 --http-pin Secret123


2. Install CA-less replica

[root@ipareplica1 ca1]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12
--http-cert-file=./replica.p12 --dirsrv-pin Secret123 --http-pin Secret123 -P
admin -w Secret123


3. Promote IPA server from CA-less to CA-full

[root@ipamaster1 ca1]# ipa-ca-install

4. Try to promote IPA replica from CA-less to CA-full

[root@ipareplica1 ca1]# ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
Certificate has no `subjectAltName`, falling back to check for a `commonName`
for now. This feature is being removed by major browsers and deprecated by RFC
2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/25]: creating certificate server user
  [2/25]: creating certificate server db
  [3/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [4/25]: creating installation admin user
  [5/25]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpzHP3HH' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.


Actual results:
IPA replica promotion from CA-less to CA-full fails with stack trace

Expected results:
IPA replica should be converted from CA-less to CA-full.

Additional info:

1. Excerpt from /var/log/pki/pki-tomcat/ca/debug on replica

[21/Jul/2016:07:36:45][http-bio-8443-exec-3]: Getting install token
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Getting domain XML
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: getting
domain info
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: ConfigurationUtils: GET
https://ipamaster1.testrelm.test:443/ca/admin/ca/getDomainXML
javax.ws.rs.ProcessingException: Unable to invoke request
<snip>
</snip>
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpC
lient.java:805)
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invo
ke(ApacheHttpClient4Engine.java:283)
        ... 73 more
[21/Jul/2016:07:36:47][http-bio-8443-exec-3]: Failed to obtain security domain
decriptor from security domain master: javax.ws.rs.ProcessingException: Unable
to invoke request

master:

  • 6581389 custodia: include known CA certs in the PKCS#12 file for Dogtag

ipa-replica-install is failing

...
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 180, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 161, in __get_keys
    self.import_ca_certs(tmpdb, True)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 328, in import_ca_certs
    conn, self.suffix, self.realm, ca_is_configured)
  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 422, in get_ca_certs_nss
    filter_subject=filter_subject)
  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 292, in get_ca_certs
    'cACertificate;binary'])
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1433, in find_entries
    break
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 999, in error_handler
    error=info)
2016-08-31T15:46:34Z DEBUG The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-DOM-058-201-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
2016-08-31T15:46:34Z ERROR cannot connect to 'ldapi://%2fvar%2frun%2fslapd-DOM-058-201-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket':

master:

  • 17ea4ae custodia: force reconnect before retrieving CA certs from LDAP

Metadata Update from @pvoborni:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.4.1

7 years ago

Login to comment on this ticket.

Metadata