#6274 [tracker] ipa-replica-prepare does not work under domain level 0
Closed: wontfix a year ago by rcritten. Opened 3 years ago by ofayans.

ipa-replica-prepare

# ipa-replica-prepare -p '<dm_password>' <replica_fqdn> -d --ip-address 192.168.122.70
Generating key.  This may take a few moments...
DEBUG: The ipa-replica-prepare command failed, exception: RuntimeError: Certificate issuance failed
ERROR: Certificate issuance failed
ERROR: The ipa-replica-prepare command failed.

The debug output obtained using Martin Basti's patch
is attached. Generally, it says: "Profile caIPAserviceCert Not Found"


Can you please provide CA debug log?

What is the exactly pki-ca package version involved?

Also, where does the CI script triggering the defect live?

It is not captured here, but the issue was that PKI incorrectly announces that it si ready when in fact it is not.

Reproduction step, on faster machine:

  • run ipa-replica-prepare right away after ipa-server-install finishes (last step is IPA restart where PKI starts last or almost last)

I haven't had any success reproducing.

Oleg, could you please attach the whole log file
/var/log/pki/pki-tomcat/ca/debug and confirm the exact pki-ca package version
involved?

The pki-ca version is pki-ca-10.3.5-4.fc24.noarch

The debug log from master is attached

Workaround for the CI tests:

master:

  • 91b51e7 CI: workaround: wait for dogtag before replica-prepare

#6374 was closed as duplicate of this ticket

Metadata Update from @ofayans:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog

3 years ago

Metadata Update from @stlaz:
- Issue close_status updated to: None

3 years ago

Attaching a new "debug" log file as the old one is gone. For the record: increasing time.sleep to 45 (in tasks.py) did not help in my local test environment.
debug

Metadata Update from @mreznik:
- Custom field component reset
- Custom field external_tracker reset
- Custom field rhbz reset
- Custom field test_case reset
- Custom field test_coverage reset
- Custom field tester reset
- Custom field type reset
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

3 years ago

@mreznik how often does it behave this way (45s won't help)?

@pvoborni sorry, missed the question. Tried couple of times. Sometimes even 90s won't help (but sometimes yes).

From triage:

  • We should remove the IPA workaround to confirm that issue is resolved.

@ftweedal in which dogtag version is it fixed?

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.6

2 years ago

Metadata Update from @mbasti:
- Assignee reset

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.6.1 (was: FreeIPA 4.6)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6.1)

2 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

2 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

Domain level 0 is now deprecated, closing.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata
Attachments 1
Attached 3 years ago View Comment