#6878 Replica install fails during migration from older IPA master
Closed: fixed 7 years ago Opened 7 years ago by stlaz.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1442815

Created attachment 1272108
rhel69 master pki debug

Description of problem:
During Replica install on RHEL-7.4 from RHEL-6.9 master, pki instance creation
fails with following error message.

------------------------------
  [10/28]: importing RA certificate from PKCS #12 file
  [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in
/tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out
/var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12
-nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero
exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
[root@hp-dl380pgen8-02-vm-7 ~]#

------------------------------

Version-Release number of selected component (if applicable):
6.9 master
-----------
[root@kvm-guest-03 ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-53.el6.noarch
ipa-server-3.0.0-51.el6.x86_64
[root@kvm-guest-03 ~]#

7.4 replica
------------
[root@hp-dl380pgen8-02-vm-7 ~]# rpm -q ipa-server pki-ca selinux-policy
ipa-server-4.5.0-6.el7.x86_64
pki-ca-10.4.1-1.el7.noarch
selinux-policy-3.13.1-142.el7.noarch
[root@hp-dl380pgen8-02-vm-7 ~]#
[root@hp-dl380pgen8-02-vm-7 ~]# getenforce
Permissive
[root@hp-dl380pgen8-02-vm-7 ~]# cat /var/log/audit/audit.log |audit2allow
#============= gssproxy_t ==============
allow gssproxy_t self:capability dac_override;
#============= tomcat_t ==============
allow tomcat_t user_tmp_t:file open;
[root@hp-dl380pgen8-02-vm-7 ~]#


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-6.9 master
2. Preate replica gpg for RHEL-7.4 replica
3. Install replica on RHEL-7.4 using gpg file from step 2

Actual results:
Replica install fails

Expected results:
Replica install should be successful

Additional info:
Please find the attached pki debug log from Master and Replica

Metadata Update from @stlaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442815

7 years ago

Metadata Update from @stlaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442815

7 years ago

Metadata Update from @stlaz:
- Issue assigned to stlaz

7 years ago

Metadata Update from @stlaz:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/721

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue tagged with: regression

7 years ago

master:

  • 6f0a622 Fix RA cert import during DL0 replication

ipa-4-5:

  • 3f70baf Fix RA cert import during DL0 replication

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @stlaz:
- Issue status updated to: Open (was: Closed)

7 years ago

Unfortunately the fix broke upgrade because OpenSSL can't cope with empty files.

7 years ago

Metadata Update from @stlaz:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/722 (was: https://github.com/freeipa/freeipa/pull/721)

7 years ago

master:

  • b38750e Fix CAInstance.import_ra_cert for empty passwords

ipa-4-5:

  • e3f2878 Fix CAInstance.import_ra_cert for empty passwords

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @stlaz:
- Issue status updated to: Open (was: Closed)

7 years ago

A different issue appeared during migration, the replica tries to contact the master on port 8443 for certificate profiles migration to LDAP, but the old masters don't use these ports for CA servers so the installation fails with NetworkError.

These operations should be performed against the replica CA instance anyway.

No external service must ever contact port 8443 or port 8080 directly. The ports must be considered internal and blocked by a firewall. Except for IPA framework and installers, everybody must go through Apache proxy. See #6016

Metadata Update from @pvoborni:
- Issue tagged with: testblocker

7 years ago

master:

  • 0d406fc Refresh Dogtag RestClient.ca_host property
  • 92313c9 Remove the cachedproperty class

ipa-4-5:

  • 32981a0 Refresh Dogtag RestClient.ca_host property
  • 9de3439 Remove the cachedproperty class

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago
7 years ago

Log in to comment on this ticket.

Metadata