Promotion of a client to replica fails with Certificate issuance failed (CA_REJECTED) in configuring TLS for DS instance step. I'm seeing an ACIError in the HTTPD error log on master.
Certificate issuance failed (CA_REJECTED)
configuring TLS for DS instance
... Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)
2018-03-26T16:58:02Z DEBUG certmonger request is in state dbus.String('GENERATING_KEY_PAIR', variant_level=1) 2018-03-26T16:58:07Z DEBUG certmonger request is in state dbus.String('CA_REJECTED', variant_level=1) 2018-03-26T16:58:07Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 556, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 542, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 843, in __enable_ssl post_command=cmd File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED)
HTTPD error log on master:
[Mon Mar 26 18:58:03.807187 2018] [wsgi:error] [pid 65845:tid 140410194355968] [remote 2620:52:0:25aa:21a:4aff:fe23:15ce:38120] ipa: INFO: [xmlserver] host/replica.ipa.example@IPA.EXAMPLE: cert_request('MIIE...', profile_id='caIPAserviceCert', principal='ldap/replica.ipa.example@IPA.EXAMPLE', add=True, version='2.51'): ACIError
389-DS log on master
[26/Mar/2018:18:58:03.772887190 +0200] conn=13 op=4 SRCH base="ou=People,o=ipaca" scope=2 filter="(description=2;7;CN=Certificate Authority,O=IPA.EXAMPLE;CN=IPA RA,O=IPA.EXAMPLE)" attrs=ALL [26/Mar/2018:18:58:03.774034449 +0200] conn=13 op=4 RESULT err=0 tag=101 nentries=1 etime=0.1148511400 [26/Mar/2018:18:58:03.777821483 +0200] conn=13 op=5 SRCH base="uid=ipara,ou=People,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [26/Mar/2018:18:58:03.778012710 +0200] conn=13 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0003814296 [26/Mar/2018:18:58:03.780014222 +0200] conn=13 op=6 SRCH base="ou=Groups,o=ipaca" scope=1 filter="(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))" attrs="cn description" [26/Mar/2018:18:58:03.780492986 +0200] conn=13 op=6 RESULT err=0 tag=101 nentries=2 etime=0.0002412133 [26/Mar/2018:18:58:03.796040450 +0200] conn=147 op=8 SRCH base="cn=accounts,dc=ipa,dc=example" scope=2 filter="(&(krbPrincipalName=ldap/replica.ipa.example@IPA.EXAMPLE)(objectClass=krbprincipalaux))" attrs=ALL [26/Mar/2018:18:58:03.797512877 +0200] conn=147 op=8 RESULT err=0 tag=101 nentries=1 etime=0.0001823056 [26/Mar/2018:18:58:03.799480606 +0200] conn=147 op=9 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin" [26/Mar/2018:18:58:03.799660705 +0200] conn=147 op=9 RESULT err=0 tag=120 nentries=0 etime=0.0000470062 [26/Mar/2018:18:58:03.800479789 +0200] conn=147 op=10 SRCH base="cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=ipa,dc=example" scope=0 filter="(objectClass=*)" attrs="objectClass" [26/Mar/2018:18:58:03.802498308 +0200] conn=147 op=10 RESULT err=0 tag=101 nentries=1 etime=0.0002345011 - entryLevelRights: none [26/Mar/2018:18:58:03.805428769 +0200] conn=147 op=11 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory cn memberHost serviceCategory hostCategory ipaCertProfileCategory ipaMemberCertProfile memberUser description ipaCaCategory ipaMemberCa memberService" [26/Mar/2018:18:58:03.806038255 +0200] conn=147 op=11 RESULT err=0 tag=101 nentries=0 etime=0.0000845566 [26/Mar/2018:18:58:03.808289300 +0200] conn=147 op=12 UNBIND [26/Mar/2018:18:58:03.808316545 +0200] conn=147 op=12 fd=123 closed - U1
No error
freeipa-server-4.6.90.pre1.dev201803261110+git1fe795b75-0.fc28.x86_64 freeipa-client-4.6.90.pre1.dev201803261110+git1fe795b75-0.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.6-2.fc28.x86_64 pki-ca-10.6.0-0.2.fc28.noarch krb5-server-1.16-12.fc28.x86_64
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
I have enrolled the machine with user admin and kinit admin before ipa-replica-install.
admin
kinit admin
I might send you barking up the wrong tree but I'd try this:
kinit admin && ipa caacl-find kdestroy -A kinit -kt /etc/krb5.keytab && ipa caacl-find
I think the first will return an entry and the second will not.
Yeah, but how is that related to the issue? Does the installer kinit with the host keytab during the installation? I started installation with an admin principal TGT.
# kinit admin && ipa caacl-find Password for admin@IPA.EXAMPLE ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all ---------------------------- Number of entries returned 1 ---------------------------- [root@vm-197 cheimes]# kdestroy -A [root@vm-197 cheimes]# kinit -kt /etc/krb5.keytab && ipa caacl-find ----------------- 0 CA ACLs matched ----------------- ---------------------------- Number of entries returned 0 ----------------------------
certmonger runs as the host.
I'm able to reproduce the issue with ldapsearch. An ldapsearch with admin TGT and scope one works. An ldapsearch with host TGT fails with scope one, but works with scope subtree. Could it be a regression in 389-DS? The system has 389-ds-base-1.4.0.6-2.fc28.x86_64.
$ ipa caacl-find ----------------- 0 CA ACLs matched ----------------- ---------------------------- Number of entries returned 0 ---------------------------- [28/Mar/2018:10:45:57.523970901 +0200] conn=656 op=2 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn" [28/Mar/2018:10:45:57.524504632 +0200] conn=656 op=2 RESULT err=0 tag=101 nentries=0 etime=0.0000840426
# ldapsearch -Y GSSAPI -s one -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn SASL/GSSAPI authentication started SASL username: host/replica.ipa.example@IPA.EXAMPLE SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope oneLevel # filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl)) # requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn # # search result search: 4 result: 0 Success # numResponses: 1 [28/Mar/2018:10:47:11.824472895 +0200] conn=657 op=3 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=1 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn" [28/Mar/2018:10:47:11.825181116 +0200] conn=657 op=3 RESULT err=0 tag=101 nentries=0 etime=0.0001117036
# ldapsearch -Y GSSAPI -s sub -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn SASL/GSSAPI authentication started SASL username: host/replica.ipa.example@IPA.EXAMPLE SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope subtree # filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl)) # requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn # # 090ffd12-3112-11e8-b258-001a4a2315cc, caacls, ca, ipa.example dn: ipaUniqueID=090ffd12-3112-11e8-b258-001a4a2315cc,cn=caacls,cn=ca,dc=ipa,dc=example ipaEnabledFlag: TRUE serviceCategory: all hostCategory: all cn: hosts_services_caIPAserviceCert # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 [28/Mar/2018:10:47:44.584854957 +0200] conn=658 op=3 SRCH base="cn=caacls,cn=ca,dc=ipa,dc=example" scope=2 filter="(&(objectClass=ipaassociation)(objectClass=ipacaacl))" attrs="ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn" [28/Mar/2018:10:47:44.585895372 +0200] conn=658 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0001390817
# ldapsearch -Y GSSAPI -s one -b "cn=caacls,cn=ca,dc=ipa,dc=example" "(&(objectClass=ipaassociation)(objectClass=ipacaacl))" ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn SASL/GSSAPI authentication started SASL username: admin@DOM-117.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=caacls,cn=ca,dc=ipa,dc=example> with scope oneLevel # filter: (&(objectClass=ipaassociation)(objectClass=ipacaacl)) # requesting: ipaEnabledFlag userCategory serviceCategory hostCategory ipaCertProfileCategory description ipaCaCategory cn # # 090ffd12-3112-11e8-b258-001a4a2315cc, caacls, ca, ipa.example dn: ipaUniqueID=090ffd12-3112-11e8-b258-001a4a2315cc,cn=caacls,cn=ca,dc=ipa,dc=example ipaEnabledFlag: TRUE serviceCategory: all hostCategory: all cn: hosts_services_caIPAserviceCert # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
The problem is caused by https://pagure.io/389-ds-base/issue/49617
Metadata Update from @abbra: - Issue assigned to abbra
I added an anonymous access ACI to allow reading parentid as suggested by @tbordaz The following pull request can be used to track the fix: https://github.com/freeipa/freeipa/pull/1752
master:
The workaround works like a charm.
Metadata Update from @cheimes: - Issue close_status updated to: fixed
Metadata Update from @ftweedal: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1588109
ipa-4-6:
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.7)
Log in to comment on this ticket.