When installing a replica (master branch) from an IPA 4.2 master, installation fails when adding the IPA CA entry, because it attempts to contact the first master to ask it about the authority ID, and it is running an older version of Dogtag that does not know about lightweight CAs.
Possible approaches to resolve include reading the authority ID directly out of LDAP instead of contacting Dogtag, or overriding / resetting the ca_host that gets contacted. However, the problem could be larger than this, i.e. the system that chooses a Dogtag instance to contact may need to be made more robust than it currently is.
ca_host
Traceback:
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1930, in ensure_ipa_authority_entry data = lwca.read_ca('host-authority') File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 2122, in read_ca 'GET', ca_id, headers={'Accept': 'application/json'}) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1353, in _ssldo % {'status': status, 'explanation': explanation} HTTPRequestError: Request failed with status 404: Non-2xx response from CA REST API: 404.
Is it a regression introduced in the refactoring or other "master" only effort? Or is it present also in 4.4 branch?
Petr, I was able to successfully install 4.4 replica (RHEL 7.3) from 4.2 master (RHEL 7.2). Seems to affect master only.
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
I have now also seen a similar problem occur in migration from RHEL 6.9 to RHEL 7.4, during LDAP profile import. The import is attempted against the RHEL 6.9 master, which fails because LDAP profile support is not implemented there.
Login to comment on this ticket.