freeipa

Clone
Source Code
GIT

#6577 ipa-ca-install fails for the second server after converting from CA-less to CA-full
Closed 5 years ago Opened 7 years ago by tkrizek.

Closed
Reopen Issue

During a review of PR https://github.com/freeipa/freeipa/pull/355 that fixes #6226 (which has to be fixed before it's possible to encounter this bug) I encountered the following issue.

After installing CA-less master and CA-less replica, install a CA on one of the servers. The installation should succeed. Afterwards, attempt to install CA on the other server. The installation will end with an error message "CA did not start in 300 seconds." Please note that it does not matter whether you first install the CA on master or replica - the first installation always succeeds, while the second one fails.

The relevant logs show that pki-tomcat fails to connect to LDAPS on port 636, which is actually running and listening for connections. There is probably an issue with the propagation of CA certificate to other servers during ipa-ca-install, because running ipa-certupdate seems to fix the problem.

/var/log/pki/pki-tomcat/ca/debug

[21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host vm-058-045.example.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)

/var/log/dirsrv/slapd-DOM-058-045-EXAMPLE-COM/access

[21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45
[21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES
[21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL

Metadata Update from @tkrizek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5
7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
7 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
6 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
6 years ago

ipa-certupdate is a necessary step. I guess it would make sense to perform it as the first step of
the ipa-ca-install on the other replicas.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal (was: jcholast)
6 years ago

Metadata Update from @pvoborni:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1232
6 years ago

master:

  • 93d53e5 CertUpdate: make it easy to invoke from other programs
  • 8960141 ipa-ca-install: run certupdate as initial step
  • 97942a7 Run certupdate after promoting to CA-ful deployment
  • 39fdc2d ipa_certupdate: avoid classmethod and staticmethod

ipa-4-6:

  • 75e4cf1 CertUpdate: make it easy to invoke from other programs
  • 75a3ede ipa-ca-install: run certupdate as initial step
  • cd4d9cc Run certupdate after promoting to CA-ful deployment
  • 5eab20e ipa_certupdate: avoid classmethod and staticmethod

Currently, there is no expectation for another 4.5 release. This issue is fixed in 4.6, 4.7, and master, thus closing.

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6 (was: FreeIPA 4.5.5)
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
https://fedorahosted.org/freeipa/ticket/6226
None
IPA
None
https://github.com/freeipa/freeipa/pull/1232
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.