ipa-replica-install fails with ERROR 400 Client Error: Bad Request for url when master is installed with httpd 2.4.33-2.fc27
ipa-replica-install fails in the last step acquiring keys through custodia:
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: vm-171-239.abc.idm.lab.eng.brq.redhat.com, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=... ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
ipa-replica-install should succeed.
Note that downgrading httpd to version 2.4.28-1.fc27 fixes the issue.
$ rpm -q freeipa-server freeipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.6.3-3.fc27.x86_64 freeipa-client-4.6.3-3.fc27.x86_64 389-ds-base-1.3.7.10-1.fc27.x86_64 pki-ca-10.6.0-0.3.fc27.noarch krb5-server-1.15.2-8.fc27.x86_64
Content of /var/log/ipareplica-install.log:
2018-04-13T07:21:46Z DEBUG Starting new HTTPS connection (1): master.example.comt.com 2018-04-13T07:22:46Z DEBUG https://master.example.com:443 "GET /ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=... HTTP/1.1" 400 226 2018-04-13T07:22:46Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 319, in run cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 364, in run self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 388, in execute for _nothing in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 654, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 430, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 459, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 517, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 514, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 449, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 420, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 417, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 66, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 622, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 388, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1460, in install ca.install(False, config, options) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 226, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 269, in install_step_0 replica_config.dirman_password) File "/usr/lib/python3.6/site-packages/ipaserver/install/custodiainstance.py", line 237, in get_ca_keys self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) File "/usr/lib/python3.6/site-packages/ipaserver/install/custodiainstance.py", line 201, in __get_keys value = cli.fetch_key(os.path.join(prefix, nickname), False) File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 105, in fetch_key r.raise_for_status() File "/usr/lib/python3.6/site-packages/requests/models.py", line 935, in raise_for_status raise HTTPError(http_error_msg, response=self) 2018-04-13T07:22:46Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=... 2018-04-13T07:22:46Z ERROR 400 Client Error: Bad Request for url: https://master.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=... 2018-04-13T07:22:46Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Content of httpd error log on master:
[Fri Apr 13 09:21:35.383101 2018] [wsgi:error] [pid 54098:tid 139908788836096] [remote 10.37.171.19:50112] ipa: INFO: [xmlserver] host/replica.example.com@EXAMPLE.COM: cert_request('MII...', profile_id='caIPAserviceCert', principal='HTTP/replica.example.com@EXAMPLE.COM', add=True, version='2.51'): SUCCESS [Fri Apr 13 09:22:46.537272 2018] [proxy:error] [pid 54640:tid 139908450592512] (20014)Internal error (specific information not available): [client 10.37.171.19:50140] AH01084: pass request body failed to 0.0.0.0:0 (httpd-UDS) [Fri Apr 13 09:22:46.537449 2018] [proxy_http:error] [pid 54640:tid 139908450592512] [client 10.37.171.19:50140] AH01097: pass request body failed to 0.0.0.0:0 (httpd-UDS) from 10.37.171.19 ()
This may be related to https://pagure.io/mod_nss/issue/45
Apache 2.4.33 changed the API for reverse proxies.
I have a candidate patch for mod_nss which implements the bare minimum.
The patch in https://koji.fedoraproject.org/koji/taskinfo?taskID=26332491 fixes the issue.
Turning this issue into a tracker, we will need to bump require version of mod_nss when it's available.
Metadata Update from @frenaud: - Issue tagged with: tracker
Have you considered to request a downgrade of Apache to a compatible version? After all, the problem smells like an ABI change. Are ABI changes acceptable for an existing Fedora release?
The problem is more political than anything.
In order for mod_nss to be able to be a reverse proxy we have to carry a patch for Apache to dispatch the requests. Apache is built in a modular way but its design doesn't expect there can be multiple providers installed at the same time so there is a single API for registering the callbacks.
It took months to get this accepted in the first place. I'd like to avoid using policy to solve this.
The mod_nss build in testing now solves the underlying problem for IPA. Additional work is needed mod_nss and mod_ssl play nicely together in the case of a reverse proxy but that is outside the supported scope for an IPA installation.
Metadata Update from @stlaz: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.6
Metadata Update from @stlaz: - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6)
Fixed in 1.0.14-7.f27, 1.0.16-5.1.f28
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/1876
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.