#7006 ipa-replica-install fails at Importing RA Key - 4.4.0-14.el7.centos
Closed: invalid 6 years ago Opened 6 years ago by blaisek.

FreeIPA installation details:

Centos 7.3 - 3.10.0-514.16.1.el7.x86_64
self signed certs
One server with ca trying to deploy to a second server with ca.

FreeIPA history
Upgrade from:

4.1.0-18.el7.centos.0.1 -> -4.2.0-15.el7.centos -> 4.4.0-14.el7.centos

After updating the freeipa server to 4.4.0, domain level changed to 1 with

ipa domainlevel-set 1

Then to install a new replica with server, ran

ipa-client-install, then ipa-replica-install.

Replica client install generates the following error:

HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]

2017-06-07T05:55:59Z DEBUG   [error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]

2017-06-07T05:55:59Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]
2017-06-07T05:55:59Z ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]
2017-06-07T05:55:59Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Attempting to install a replica under domain level 0 will successfully complete with a provided replica-info gpg file. But when running ipa-ca-install with the same info file, I'll get the following error:

importing CA chain to RA certificate database

So there is some problem with the RA certificate database or server using either path. The last time I was able to successfully deploy a replica with CA was with ipa 4.2.0

This issue fails at the same spot, but a different python-jwcrypto doesn't seem to why the Decrpytion failed.

https://www.redhat.com/archives/freeipa-users/2016-December/msg00024.html

Not sure whether the problem is with the RA server or the data. A fresh install will complete the ipa-replica-install command.

I've attached ipareplica-install.log
ipareplica-install.log


Ok, I've figured this issue out. HBAC control needs to allow the new replica. By default the fresh install will have an allow_all rule that I've disable to lock down my production server. I finally reached an error message that indicated admin could not ssh into the master, giving a permission denied error. All sssd and krb5 settings we ok. Alllowing access to the master still gives errors and breaks the install. But finally re-enabling allow_all to allow the master and newly added replica allows for a new replica with ca to be installed. It still fails under domainlevel 0 though. under domainlevel 0, a replica will install, but a CA won't, failing at the same step:

importing CA chain to RA certificate database

So the upgrade path is to allow access via HBAC. Will probably have to use allow_all since a chicken/egg situation prevents the new replica from being added. Then upgrade the master domainlevel to 1. Then run ipa-client-install, ipa-replica-install and ipa-ca-install to create a new replica with ca server.

Metadata Update from @dkupka:
- Issue assigned to dkupka

6 years ago

There is a suspicion that it might a race-condition type of bug similar or the same as #6838

One can also create an hbac rule to allow administrators to ssh into all IPA servers and nobody else.

Metadata Update from @pvoborni:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata
Attachments 1
Attached 6 years ago View Comment