#6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica
Closed: fixed 7 years ago Opened 7 years ago by mbabinsk.

When installing replica from a current master branch, the following series of tracebacks can be seen in certmonger journal output:

Mar 13 16:11:45 replica1.ipa.test systemd[1]: Started Certificate monitoring and PKI enrollment.
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7890]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal
                                                                              raise errors.CCacheError(message=unicode(e))
                                                                          CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7887]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal
                                                                              raise errors.CCacheError(message=unicode(e))
                                                                          CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7889]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal
                                                                              raise errors.CCacheError(message=unicode(e))
                                                                          CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7888]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal
                                                                              raise errors.CCacheError(message=unicode(e))
                                                                          CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7894]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal
                                                                              raise errors.CCacheError(message=unicode(e))
                                                                          CCacheError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach
Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7893]: Traceback (most recent call last):
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module>
                                                                              sys.exit(main())
                                                                            File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main
                                                                              api.Backend.ldap2.connect()
                                                                            File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
                                                                              conn = self.create_connection(*args, **kw)
                                                                            File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection
                                                                              principal = krb_utils.get_principal(ccache_name=ccache)

It may be that these messages are actually harmless since in the end the certificate requests are succesfully resolved, but it may be more helpful to catch these exceptions and log them as soft errors.

Relevant software versions.

[root@replica1 ~]# rpm -q freeipa-server gssproxy
freeipa-server-4.4.90.dev201703131430+git5758f8a-0.fc25.x86_64
gssproxy-0.7.0-1.fc25.x86_64

Metadata Update from @jcholast:
- Issue assigned to jcholast

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: 1
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: regression

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1435611

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1435611

7 years ago

master:

  • b189be1 dsinstance: reconnect ldap2 after DS is restarted by certmonger
  • 8a85586 httpinstance: avoid httpd restart during certificate request
  • ec52332 dsinstance, httpinstance: consolidate certificate request code
  • 181cb94 install: request service certs after host keytab is set up
  • 3884a67 renew agent: revert to host keytab authentication
  • a6a89e2 renew agent, restart scripts: connect to LDAP after kinit
    ipa-4-5:

  • 3a3cd01 dsinstance: reconnect ldap2 after DS is restarted by certmonger

  • 029da95 httpinstance: avoid httpd restart during certificate request
  • 3317e17 dsinstance, httpinstance: consolidate certificate request code
  • cb141b0 install: request service certs after host keytab is set up
  • 1a7db62 renew agent: revert to host keytab authentication
  • e9168e8 renew agent, restart scripts: connect to LDAP after kinit

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @stlaz:
- Issue status updated to: Open (was: Closed)

7 years ago

Metadata Update from @stlaz:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/719

7 years ago

master:

  • 25a33ce server-install: No double Kerberos install

ipa-4-5:

  • 2144eaf server-install: No double Kerberos install

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata