ipa vault-retrieve fails after restoring a backup with the message:
ipa vault-retrieve
[ipatests.pytest_plugins.integration.host.Host.master.ParamikoTransport] RUN ['ipa', 'vault-retrieve', 'ci_test_vault', '--password', 'password'] [ipatests.pytest_plugins.integration.host.Host.master.cmd31] RUN ['ipa', 'vault-retrieve', 'ci_test_vault', '--password', 'password'] [ipatests.pytest_plugins.integration.host.Host.master.cmd31] ipa: ERROR: No valid Negotiate header in server response ipa: ERROR: Exit code: 1
Full log here: https://fedorapeople.org/groups/freeipa/prci/jobs/8f8a6bee-3161-11e8-a318-fa163ed2d6e2/report.html
Git master (last commit: 64438f8)
I was able to reproduce the issue on F28, too. Even ipa ping is failing. HTTPD error logs contain
ipa ping
GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)], referer: https://master.ipa.example/ipa/xml
same here
Preparing restore from /root/ipa-full-2018-04-09-16-53-10 on ipa.idm.domain.tld Performing FULL restore from FULL backup ... ipa: DEBUG: stderr= Starting pki-tomcatd Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: request POST http://ipa.idm.domain.tld:8080/ca/admin/ca/getStatus ipa: DEBUG: request body '' ipa: DEBUG: response status 500 ipa: DEBUG: response headers Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2448 Date: Tue, 10 Apr 2018 08:23:43 GMT Connection: close ... ipa: DEBUG: response body b'<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.50 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.50</h3></body></html>' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service
The problem seems to be that GSSPROXY_CONF (/etc/gssproxy/10-ipa.conf) is not backed up therefore not restored.
After changing ipa_backup to backup paths.GSSPROXY_CONF and running:
ipa-backup ipa-uninstall ipa-restore
This is what happens:
[root@master ~]# ipa user-add First name: asd Last name: asd User login: asd Full name: dasdas ipa: ERROR: cannot connect to 'https://master.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:840) [root@master ~]# [root@master ~]# [root@master ~]# ipa ping ipa: ERROR: cannot connect to 'https://master.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:840) [root@master ~]# cat /etc/httpd/conf.d/ssl.conf | grep "SSLCACertificateFile /etc/ipa/ca.crt" SSLCACertificateFile /etc/ipa/ca.crt [root@master ~]# ipa-certupdate trying https://master.example.com/ipa/json [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://master.example.com/ipa/json' No valid Negotiate header in server response The ipa-certupdate command failed. [root@master ~]# ipa ping ipa: ERROR: No valid Negotiate header in server response
Metadata Update from @fbarreto: - Issue assigned to fbarreto
Metadata Update from @fbarreto: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1844
Metadata Update from @cheimes: - Issue set to the milestone: FreeIPA 4.6.4
master:
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.