Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1365858
Description of problem: Similar to BZ 1358752, when ipa-ca-install is triggered on replica server which is connected to IPA master with no CA then ipa-ca-install fails with pkispawn error. CA Installation on replica should warn user about non-existence of CA on IPA master server rather than proceeding with installation. [root@ipareplica731301687 ~]# ipa server-role-find ----------------------- 12 server roles matched ----------------------- Server name: ipamaster731301687.testrelm.test Role name: CA server Role status: absent Server name: ipareplica731301687.testrelm.test Role name: CA server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: DNS server Role status: enabled Server name: ipareplica731301687.testrelm.test Role name: DNS server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: NTP server Role status: enabled Server name: ipareplica731301687.testrelm.test Role name: NTP server Role status: enabled Server name: ipamaster731301687.testrelm.test Role name: AD trust agent Role status: absent Server name: ipareplica731301687.testrelm.test Role name: AD trust agent Role status: absent Server name: ipamaster731301687.testrelm.test Role name: KRA server Role status: absent Server name: ipareplica731301687.testrelm.test Role name: KRA server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: AD trust controller Role status: absent Server name: ipareplica731301687.testrelm.test Role name: AD trust controller Role status: absent ----------------------------- Number of entries returned 12 ----------------------------- [root@ipareplica731301687 ~]# ipa-ca-install Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/30]: creating certificate server user [2/30]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. Version-Release number of selected component (if applicable): ipa-server-4.4.0-5.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install ipa-server without CA 2. Install ipa replica without CA 3. Trigger IPA CA installation on IPA Replica Actual results: ipa-ca-install fails with pkispawn error. Expected results: ipa-ca-install should warn user about non-existence of CA on IPA master server.
LDAPS port is not running on the replica. Combining with: 276d167 it fails. A related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1358752
master:
This causes issues with replica installation:
$ ipa-replica-install ... [23/45]: configure dirsrv ccache [24/45]: enabling SASL mapping fallback [25/45]: restarting directory server [26/45]: creating DS keytab [27/45]: retrieving DS Certificate [28/45]: configuring ssl for ds instance [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -O -n ipaCert' returned non-zero exit status 255 Your system may be partly configured.
[root@vm-058-195 ~]# /usr/bin/certutil -d /etc/httpd/alias -O -n ipaCert certutil: Could not find: ipaCert : PR_FILE_NOT_FOUND_ERROR: File not found
My bad, it worked for me during review because of #4639.
Sorry, it was an oversight on my side as well. New pull request should solve the issue.
With the proper fix (PR#41), ipa-replica-install fails with a notoriously hard to fix NSS error:
ipa-replica-install
Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 786, in __enable_ssl self.nickname, self.fqdn, cadb) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 336, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 405, in issue_server_cert self.secdir, password, "ipaCert", **params) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 156, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 207, in _httplib_request raise NetworkError(uri=uri, error=str(e)) NetworkError: cannot connect to 'https://vm-058-011.abc.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
However, I don't think this should block the release of 4.4.1, so I would just revert 89de60c and keep the ticket open.
#6488 was closed as dup of this bug.
Patch for 4.4 missing
ipa-4-4:
Metadata Update from @pvoborni: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.