ipa-kra-install fails on a replica
To reproduce: install ipa server with CA run ipa-kra-install on the ipa server create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca run ipa-kra-install on the replica
Output of ipa-kra-install on the replica:
$ sudo ipa-kra-install Directory Manager password: =================================================================== This program will setup Dogtag KRA for the FreeIPA Server. Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. Timed out trying to obtain keys. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
Content of ipaserver-kra-install.log:
2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com 2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com' 2017-05-05T14:34:30Z ERROR Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. 2017-05-05T14:34:30Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run kra.install(api, config, self.options) File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install replica_config.dirman_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys self.__wait_keys(ca_host) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys raise RuntimeError("Timed out trying to obtain keys.") 2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys. 2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys. 2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)
Regression linked to Commit 1f9f84a
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/766
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449189
Issue linked to bug 1449189
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.