freeipa

Clone
Source Code
GIT

#6934 ipa-kra-install timeouts on replica
Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Closed: fixed
Reopen Issue

ipa-kra-install fails on a replica

To reproduce:
install ipa server with CA
run ipa-kra-install on the ipa server
create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca
run ipa-kra-install on the replica

Output of ipa-kra-install on the replica:

$ sudo ipa-kra-install
Directory Manager password:


===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

Timed out trying to obtain keys.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Content of ipaserver-kra-install.log:

2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com'
2017-05-05T14:34:30Z ERROR
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

2017-05-05T14:34:30Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run
    kra.install(api, config, self.options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install
    replica_config.dirman_password)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys
    self.__wait_keys(ca_host)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys
    raise RuntimeError("Timed out trying to obtain keys.")

2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys.
2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)

Regression linked to Commit 1f9f84a

Metadata Update from @frenaud:
- Issue assigned to frenaud
6 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/766
6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449189
6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449189
6 years ago

Issue linked to bug 1449189

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1
6 years ago

master:

  • 8983ce5 ipa-kra-install: fix check_host_keys

ipa-4-5:

  • b90dce8 ipa-kra-install: fix check_host_keys

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/766
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1449189
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.