#6226 ipa-replica-install in CA-less environment does not configure DS TLS - ipa-ca-install then fails on replica
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1365858

Description of problem:
Similar to BZ 1358752, when ipa-ca-install is triggered on replica server which
is connected to IPA master with no CA then ipa-ca-install fails with pkispawn
error.

CA Installation on replica should warn user about non-existence of CA on IPA
master server rather than proceeding with installation.

[root@ipareplica731301687 ~]# ipa server-role-find
-----------------------
12 server roles matched
-----------------------
  Server name: ipamaster731301687.testrelm.test
  Role name: CA server
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: CA server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: DNS server
  Role status: enabled

  Server name: ipareplica731301687.testrelm.test
  Role name: DNS server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: NTP server
  Role status: enabled

  Server name: ipareplica731301687.testrelm.test
  Role name: NTP server
  Role status: enabled

  Server name: ipamaster731301687.testrelm.test
  Role name: AD trust agent
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: AD trust agent
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: KRA server
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: KRA server
  Role status: absent

  Server name: ipamaster731301687.testrelm.test
  Role name: AD trust controller
  Role status: absent

  Server name: ipareplica731301687.testrelm.test
  Role name: AD trust controller
  Role status: absent
-----------------------------
Number of entries returned 12
-----------------------------
[root@ipareplica731301687 ~]# ipa-ca-install
Directory Manager (existing master) password:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
seconds
  [1/30]: creating certificate server user
  [2/30]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned
non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa-server without CA
2. Install ipa replica without CA
3. Trigger IPA CA installation on IPA Replica

Actual results:
ipa-ca-install fails with pkispawn error.

Expected results:
ipa-ca-install should warn user about non-existence of CA on IPA master server.

LDAPS port is not running on the replica. Combining with: 276d167 it fails. A related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1358752

master:

  • 89de60c Enable LDAPS in replica promotion

This causes issues with replica installation:

$ ipa-replica-install
...

  [23/45]: configure dirsrv ccache
  [24/45]: enabling SASL mapping fallback
  [25/45]: restarting directory server
  [26/45]: creating DS keytab
  [27/45]: retrieving DS Certificate
  [28/45]: configuring ssl for ds instance
  [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -O -n ipaCert' returned non-zero exit status 255
Your system may be partly configured.
[root@vm-058-195 ~]# /usr/bin/certutil -d /etc/httpd/alias -O -n ipaCert
certutil: Could not find: ipaCert
: PR_FILE_NOT_FOUND_ERROR: File not found

My bad, it worked for me during review because of #4639.

Sorry, it was an oversight on my side as well. New pull request should solve the issue.

master:

  • dd02741 Revert "Enable LDAPS in replica promotion"

With the proper fix (PR#41), ipa-replica-install fails with a notoriously hard to fix NSS error:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 786, in __enable_ssl
    self.nickname, self.fqdn, cadb)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 336, in create_server_cert
    cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 405, in issue_server_cert
    self.secdir, password, "ipaCert", **params)
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 156, in https_request
    method=method, headers=headers)
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 207, in _httplib_request
    raise NetworkError(uri=uri, error=str(e))
NetworkError: cannot connect to 'https://vm-058-011.abc.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

However, I don't think this should block the release of 4.4.1, so I would just revert 89de60c and keep the ticket open.

#6488 was closed as dup of this bug.

master:

  • 6f7d982 Set up DS TLS on replica in CA-less topology

Patch for 4.4 missing

ipa-4-4:

  • cdb6ffb Set up DS TLS on replica in CA-less topology

Metadata Update from @pvoborni:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.3

6 years ago

Login to comment on this ticket.

Metadata