#6471 DL0 server-install --setup-ca fails when adding CA entry (contacts wrong master)
Opened 7 years ago by ftweedal. Modified 6 years ago

When installing a replica (master branch) from an IPA 4.2 master,
installation fails when adding the IPA CA entry, because it
attempts to contact the first master to ask it about the authority ID,
and it is running an older version of Dogtag that does not know about
lightweight CAs.

Possible approaches to resolve include reading the authority ID directly out
of LDAP instead of contacting Dogtag, or overriding / resetting the ca_host
that gets contacted. However, the problem could be larger than this, i.e.
the system that chooses a Dogtag instance to contact may need to be made more
robust than it currently is.


Traceback:

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 397, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 387, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1930, in ensure_ipa_authority_entry
    data = lwca.read_ca('host-authority')
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 2122, in read_ca
    'GET', ca_id, headers={'Accept': 'application/json'})
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1353, in _ssldo
    % {'status': status, 'explanation': explanation}
HTTPRequestError: Request failed with status 404: Non-2xx response from CA REST API: 404.

Is it a regression introduced in the refactoring or other "master" only effort? Or is it present also in 4.4 branch?

Petr, I was able to successfully install 4.4 replica (RHEL 7.3) from 4.2 master (RHEL 7.2).
Seems to affect master only.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

6 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

6 years ago

I have now also seen a similar problem occur in migration from RHEL 6.9 to
RHEL 7.4, during LDAP profile import. The import is attempted against the RHEL 6.9
master, which fails because LDAP profile support is not implemented there.

Login to comment on this ticket.

Metadata