freeipa

Clone
Source Code
GIT

#7493 ipa-replica-install fails with ERROR 400 Client Error when master has httpd 2.4.33-2.fc27
Closed: fixed 5 years ago Opened 6 years ago by frenaud.

Closed: fixed
Reopen Issue

Issue

ipa-replica-install fails with ERROR 400 Client Error: Bad Request for url when master is installed with httpd 2.4.33-2.fc27

Steps to Reproduce

  1. install master
  2. install client with ipa-client-install
  3. promote client to replica with kinit admin; ipa-replica-install

Actual behavior

ipa-replica-install fails in the last step acquiring keys through custodia:

Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Waiting for keys to appear on host: vm-171-239.abc.idm.lab.eng.brq.redhat.com, please wait until this has completed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=...
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected behavior

ipa-replica-install should succeed.

Note that downgrading httpd to version 2.4.28-1.fc27 fixes the issue.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.6.3-3.fc27.x86_64
freeipa-client-4.6.3-3.fc27.x86_64
389-ds-base-1.3.7.10-1.fc27.x86_64
pki-ca-10.6.0-0.3.fc27.noarch
krb5-server-1.15.2-8.fc27.x86_64

Content of /var/log/ipareplica-install.log:

2018-04-13T07:21:46Z DEBUG Starting new HTTPS connection (1): master.example.comt.com
2018-04-13T07:22:46Z DEBUG https://master.example.com:443 "GET /ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=... HTTP/1.1" 400 226
2018-04-13T07:22:46Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 319, in run
    cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run
    self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute
    for _nothing in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 622, in main
    replica_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 388, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1460, in install
    ca.install(False, config, options)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 226, in install
    install_step_0(standalone, replica_config, options)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 269, in install_step_0
    replica_config.dirman_password)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/custodiainstance.py", line 237, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/custodiainstance.py", line 201, in __get_keys
    value = cli.fetch_key(os.path.join(prefix, nickname), False)
  File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 105, in fetch_key
    r.raise_for_status()
  File "/usr/lib/python3.6/site-packages/requests/models.py", line 935, in raise_for_status
    raise HTTPError(http_error_msg, response=self)

2018-04-13T07:22:46Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=...
2018-04-13T07:22:46Z ERROR 400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=...
2018-04-13T07:22:46Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Content of httpd error log on master:

[Fri Apr 13 09:21:35.383101 2018] [wsgi:error] [pid 54098:tid 139908788836096] [remote 10.37.171.19:50112] ipa: INFO: [xmlserver] host/replica.example.com@EXAMPLE.COM: cert_request('MII...', profile_id='caIPAserviceCert', principal='HTTP/replica.example.com@EXAMPLE.COM', add=True, version='2.51'): SUCCESS
[Fri Apr 13 09:22:46.537272 2018] [proxy:error] [pid 54640:tid 139908450592512] (20014)Internal error (specific information not available): [client 10.37.171.19:50140] AH01084: pass request body failed to 0.0.0.0:0 (httpd-UDS)
[Fri Apr 13 09:22:46.537449 2018] [proxy_http:error] [pid 54640:tid 139908450592512] [client 10.37.171.19:50140] AH01097: pass request body failed to 0.0.0.0:0 (httpd-UDS) from 10.37.171.19 ()

This may be related to https://pagure.io/mod_nss/issue/45

Apache 2.4.33 changed the API for reverse proxies.

I have a candidate patch for mod_nss which implements the bare minimum.

The patch in https://koji.fedoraproject.org/koji/taskinfo?taskID=26332491 fixes the issue.

Turning this issue into a tracker, we will need to bump require version of mod_nss when it's available.

Metadata Update from @frenaud:
- Issue tagged with: tracker
6 years ago

Have you considered to request a downgrade of Apache to a compatible version? After all, the problem smells like an ABI change. Are ABI changes acceptable for an existing Fedora release?

The problem is more political than anything.

In order for mod_nss to be able to be a reverse proxy we have to carry a patch for Apache to dispatch the requests. Apache is built in a modular way but its design doesn't expect there can be multiple providers installed at the same time so there is a single API for registering the callbacks.

It took months to get this accepted in the first place. I'd like to avoid using policy to solve this.

The mod_nss build in testing now solves the underlying problem for IPA. Additional work is needed mod_nss and mod_ssl play nicely together in the case of a reverse proxy but that is outside the supported scope for an IPA installation.

Metadata Update from @stlaz:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.6
6 years ago

Metadata Update from @stlaz:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6)
6 years ago

Fixed in 1.0.14-7.f27, 1.0.16-5.1.f28

Metadata Update from @rcritten:
- Issue assigned to rcritten
5 years ago

ipa-4-6:

  • dca61eb Require mod_nss 1.0.14-7 to fix reverse proxy in mod_nss

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata

tracker

None
None
normal
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.