FreeIPA 4.4 is not compatible with Custodia 0.3 packages. Starting with 0.3, the RPM packages install Custodia with Python 3 as default Python version. FreeIPA's KEM and store plugins do not work under Python 3.
This makes replica installation fail against such 4.4.4 IPA server with:
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
journalctl -u ipa-custodia on master gives:
journalctl -u ipa-custodia
May 03 14:50:56 vm-096.example.com systemd[1]: Started IPA Custodia Service. May 03 14:50:56 vm-096.example.com custodia[84011]: 2017-05-03 14:50:56 - custodia - Custodia debug logger enabled May 03 14:50:56 vm-096.example.com custodia[84011]: 2017-05-03 14:50:56 - custodia - Custodia audit log: /var/log/ipa-custodia.audit.log May 03 14:50:56 vm-096.example.com custodia[84011]: 2017-05-03 14:50:56 - custodia - Config file <_io.TextIOWrapper name='/etc/ipa/custodia/custodia.conf' mode='r' encoding='UTF-8'> loaded May 03 14:50:56 vm-096.example.com custodia[84011]: Traceback (most recent call last): May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/lib/python3.5/site-packages/custodia/server/__init__.py", line 189, in _load_plugins May 03 14:50:56 vm-096.example.com custodia[84011]: config[menu][name] = _create_plugin(parser, s, menu) May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/lib/python3.5/site-packages/custodia/server/__init__.py", line 98, in _create_plugin May 03 14:50:56 vm-096.example.com custodia[84011]: return handler(hconf) May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/lib/python3.5/site-packages/ipapython/secrets/kem.py", line 180, in __init__ May 03 14:50:56 vm-096.example.com custodia[84011]: self.ldap_uri = conf.get('global', 'ldap_uri', None) May 03 14:50:56 vm-096.example.com custodia[84011]: TypeError: get() takes 3 positional arguments but 4 were given May 03 14:50:56 vm-096.example.com custodia[84011]: During handling of the above exception, another exception occurred: May 03 14:50:56 vm-096.example.com custodia[84011]: Traceback (most recent call last): May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/sbin/custodia", line 9, in <module> May 03 14:50:56 vm-096.example.com custodia[84011]: load_entry_point('custodia==0.3.1', 'console_scripts', 'custodia')() May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/lib/python3.5/site-packages/custodia/server/__init__.py", line 211, in main May 03 14:50:56 vm-096.example.com custodia[84011]: _load_plugins(config, cfgparser) May 03 14:50:56 vm-096.example.com custodia[84011]: File "/usr/lib/python3.5/site-packages/custodia/server/__init__.py", line 191, in _load_plugins May 03 14:50:56 vm-096.example.com custodia[84011]: raise RuntimeError(menu, name, e) May 03 14:50:56 vm-096.example.com custodia[84011]: RuntimeError: ('authorizers', 'kemkeys', TypeError('get() takes 3 positional arguments but 4 were given',)) May 03 14:50:56 vm-096.example.com systemd[1]: ipa-custodia.service: Main process exited, code=exited, status=1/FAILURE May 03 14:50:56 vm-096.example.com systemd[1]: ipa-custodia.service: Unit entered failed state. May 03 14:50:56 vm-096.example.com systemd[1]: ipa-custodia.service: Failed with result 'exit-code'.
I opened a PR yesterday, https://github.com/freeipa/freeipa/pull/760
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.4.5
ipa-4-4:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue priority set to: critical - Issue status updated to: Closed (was: Open)
Metadata Update from @tkrizek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448049
Issue linked to Bugzilla: Bug 1448049
Login to comment on this ticket.