Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1494608
Description of problem: when installing a replica, ipa-replica-install fails like this: ================================================================ 2017-09-21T14:13:18Z DEBUG Starting external process 2017-09-21T14:13:18Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-GSNETCLOUD-CORP/ -A -n GSNETCLOUD.CORP IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-GSNETCLOUD-CORP/pwdfile.txt 2017-09-21T14:13:19Z DEBUG Process finished, return code=0 2017-09-21T14:13:19Z DEBUG stdout= 2017-09-21T14:13:19Z DEBUG stderr= 2017-09-21T14:13:19Z DEBUG Starting external process 2017-09-21T14:13:19Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-GSNETCLOUD-CORP/ -A -n GSNETCLOUD.CORP IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-GSNETCLOUD-CORP/pwdfile.txt 2017-09-21T14:13:19Z DEBUG Process finished, return code=0 2017-09-21T14:13:19Z DEBUG stdout= 2017-09-21T14:13:19Z DEBUG stderr= 2017-09-21T14:13:19Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2017-09-21T14:13:24Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2017-09-21T14:13:29Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2017-09-21T14:13:34Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2017-09-21T14:13:39Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1) 2017-09-21T14:13:44Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2017-09-21T14:13:44Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 824, in __enable_ssl post_command=cmd) File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2017-09-21T14:13:44Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2017-09-21T14:13:44Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1435, in install ds.enable_ssl() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 357, in enable_ssl self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 824, in __enable_ssl post_command=cmd) File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) 2017-09-21T14:13:44Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2017-09-21T14:13:44Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2017-09-21T14:13:44Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information =================================================================== What is strange is that we can do a ipa-getcert request from master and from replica with no issue. The logs in the master are showing this: [Fri Sep 15 13:39:24.777346 2017] [:error] [pid 13739] ipa: ERROR: ra.request_certificate(): FAILURE (CA not found: cb53dffa-3eb3-4cd5-bc86-4f0d712e6c28) [Fri Sep 15 13:39:24.777679 2017] [:error] [pid 13739] ipa: INFO: [xmlserver] host/ipang01.cmpseng.gsnetcloud.corp@GSNETCLOUD.CORP: cert_request(u'MIID+jCCAu ICAQAwRDEYMBYGA1UEChMPR1NORVRDTE9VRC5DT1JQMSgwJgYDVQQDEx9pcGFuZzAxLmNtcHNlbmcuZ 3NuZXRjbG91ZC5jb3JwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsb6OBbVjkegC91Tn lOcP6doIMFyFjQwFsDn+3XhnFU7qsiSx+WnZfJ0BWSjlANeoZadJZ0YzR2VbiUVuZa4E9fkipOCsC04 PFde9rTvNZVEKvMgAqC3jYHB7P4vypTcW6QviWzOpudbUgh4aHG0M5gT2Rl8nEWgDquyPK8JXFVFu0Q AP4OcklSakuHiCGEY370wW0JceaGXuh6i61+AVhOpTB3XVmixuOG1xw5vJdBdk5F6IwsiQfarqSyZ2g DaPX/lhxdM3TOcGJBPlO2iGzmVT0pxdrIqffXsL7o9y0qqI2jrdAJplRj0TNOPkAx7rlrwU5qvirL7I ocCwz7VeOwIDAQABoIIBbzAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCAUQ GCSqGSIb3DQEJDjGCATUwggExMIHKBgNVHREBAQAEgb8wgbyCH2lwYW5nMDEuY21wc2VuZy5nc25ldG Nsb3VkLmNvcnCgRAYKKwYBBAGCNxQCA6A2DDRsZGFwL2lwYW5nMDEuY21wc2VuZy5nc25ldGNsb3VkL mNvcnBAR1NORVRDTE9VRC5DT1JQoFMGBisGAQUCAqBJMEegERsPR1NORVRDTE9VRC5DT1JQoTIwMKAD AgEBoSkwJxsEbGRhcBsfaXBhbmcwMS5jbXBzZW5nLmdzbmV0Y2xvdWQuY29ycDAMBgNVHRMBAf8EAjA AMCAGA1UdDgEBAAQWBBTXgP6SekDRBohONNf/qYat4C4zfTAyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQ BJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAAKcZE2f+TdtjVxkr gTLSczQ7q9pe52aEb14+Pt9d/b6AUn06luV6IFns999uDhc7EyLNjbysl8GSfYo2FQpCmKvtqIEcQkt Fy2amp77AGYNQ8rPf/C8pIGrMd5qKoNbTjxwXkTmT/SaTipGrumYLTivoplBpPw+co41N89pvotlYLk wcsHEFMAGw4aYP9IAgIVs8qY3letRYe3MyryMm57dji1B3M+T5EnXXMxoHUdvLjOdarfrFpTYq10UR+ zndoJnRGNMSI0zUEA29EpBQ7SNRYdFvRo7F3TaETUroqocyN6o9G1jf/Dc/iXEEsHvYSpAaBjCbxQ0e k+peTEdeD4=', profile_id=u'caIPAserviceCert', principal=u'ldap/ipang01.cmpseng.gsnetcloud.corp@GSNETCLOUD.CORP', add=True, version=u'2.51'): CertificateOperationError "CertificateOperationError" But regarding the first one: [Fri Sep 15 13:39:24.777346 2017] [:error] [pid 13739] ipa: ERROR: ra.request_certificate(): FAILURE (CA not found: cb53dffa-3eb3-4cd5-bc86-4f0d712e6c28) CA not found: cb53dffa-3eb3-4cd5-bc86-4f0d712e6c28 We have seen in ldap: ====================================== dn: cn=ipa,cn=cas,cn=ca,dc=gsnetcloud,dc=corp cn: ipa ipaCaId: cb53dffa-3eb3-4cd5-bc86-4f0d712e6c28 ipaCaSubjectDN: CN=Certificate Authority,O=GSNETCLOUD.CORP objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=GSNETCLOUD.CORP description: IPA CA dn: cn=eb9020f0-948b-4873-99b1-f36e04c449e2,ou=authorities,ou=ca,o=ipaca description: Host authority authorityDN: CN=Certificate Authority,O=GSNETCLOUD.CORP authorityEnabled: TRUE authorityKeyNickname: caSigningCert cert-pki-ca authorityID: eb9020f0-948b-4873-99b1-f36e04c449e2 cn: eb9020f0-948b-4873-99b1-f36e04c449e2 objectClass: authority objectClass: top ========================================== We need help to understand this problem because there are no meaningful logs in dogtag. Thanks a lot Version-Release number of selected component (if applicable): RHEL7.4
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1494608
Have no reproduction steps or history on the original master to know how the CA uuid got out of sync.
Metadata Update from @rcritten: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.