Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1442815
Created attachment 1272108 rhel69 master pki debug Description of problem: During Replica install on RHEL-7.4 from RHEL-6.9 master, pki instance creation fails with following error message. ------------------------------ [10/28]: importing RA certificate from PKCS #12 file [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@hp-dl380pgen8-02-vm-7 ~]# ------------------------------ Version-Release number of selected component (if applicable): 6.9 master ----------- [root@kvm-guest-03 ~]# rpm -q pki-ca ipa-server pki-ca-9.0.3-53.el6.noarch ipa-server-3.0.0-51.el6.x86_64 [root@kvm-guest-03 ~]# 7.4 replica ------------ [root@hp-dl380pgen8-02-vm-7 ~]# rpm -q ipa-server pki-ca selinux-policy ipa-server-4.5.0-6.el7.x86_64 pki-ca-10.4.1-1.el7.noarch selinux-policy-3.13.1-142.el7.noarch [root@hp-dl380pgen8-02-vm-7 ~]# [root@hp-dl380pgen8-02-vm-7 ~]# getenforce Permissive [root@hp-dl380pgen8-02-vm-7 ~]# cat /var/log/audit/audit.log |audit2allow #============= gssproxy_t ============== allow gssproxy_t self:capability dac_override; #============= tomcat_t ============== allow tomcat_t user_tmp_t:file open; [root@hp-dl380pgen8-02-vm-7 ~]# How reproducible: Always Steps to Reproduce: 1. Install RHEL-6.9 master 2. Preate replica gpg for RHEL-7.4 replica 3. Install replica on RHEL-7.4 using gpg file from step 2 Actual results: Replica install fails Expected results: Replica install should be successful Additional info: Please find the attached pki debug log from Master and Replica
Metadata Update from @stlaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442815
Metadata Update from @stlaz: - Issue assigned to stlaz
Metadata Update from @stlaz: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/721
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue tagged with: regression
master:
ipa-4-5:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @stlaz: - Issue status updated to: Open (was: Closed)
Unfortunately the fix broke upgrade because OpenSSL can't cope with empty files.
Metadata Update from @stlaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1443869 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1442815)
Metadata Update from @stlaz: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/722 (was: https://github.com/freeipa/freeipa/pull/721)
A different issue appeared during migration, the replica tries to contact the master on port 8443 for certificate profiles migration to LDAP, but the old masters don't use these ports for CA servers so the installation fails with NetworkError.
NetworkError
These operations should be performed against the replica CA instance anyway.
No external service must ever contact port 8443 or port 8080 directly. The ports must be considered internal and blocked by a firewall. Except for IPA framework and installers, everybody must go through Apache proxy. See #6016
Metadata Update from @pvoborni: - Issue tagged with: testblocker
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mbasti: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442815 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1443869)
Log in to comment on this ticket.