This is expected behavior but hard to debug.
Issue happens if IPv6 is disabled and when master misses following line
/etc/hosts ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
If that happens PKI doesn't listen on port 8009 and thus requests from certmonger fails with CA_UNREACHABLE.
Question: how to mitigate/detect/fix this issue?
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1398600 (Red Hat Enterprise Linux 7)
Usual symptom of this bug is following failure:
[root@ipa ~]# ipa-replica-install --mkhomedir --no-ssh --no-sshd --no-ntp Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1). See the installation log for details. [29/44]: setting up initial replication [error] error: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR [Errno 111] Connection refused ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Root cause is not-reported failure in step "[27/44]: retrieving DS Certificate"
Reporting of the failure was fixed in bug #6514
master:
Leaving opened until ipa-4-4 commit is pushed
ipa-4-4:
Workaround:
adding the line to /etc/hosts
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
or even by replacing in server.xml
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" />
by
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost" />
Metadata Update from @pvoborni: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.4.4
Log in to comment on this ticket.