freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#7565 ipa-replica-install fails for multiple reasons

Created 3 months ago by pomac
Modified 2 months ago

Issue

ipa-replica-install can't complete.

The first issue is that it tries to create a certificate using the actual machine you're installing as the endpoint - which will not work (no httpd is actually running yet)

Moving ds.enable_ssl() below the if promote: section in replicainstall.py causes it to correctly contact a the master server but the user it uses at the time does not have permission to create a new certificate.

Steps to Reproduce

  1. have a working ipa setup and add a new machine
  2. ipa-client-install
  3. ipa-replica-install

Actual behavior

It fails:
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)

Expected behavior

to actually be able to setup a new replica

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

Fedora-28:
freeipa-server-4.6.90.pre2-3.fc28.x86_64
freeipa-client-4.6.90.pre2-3.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.8-1.fc28.x86_64
pki-ca-10.6.1-1.fc28.noarch
krb5-server-1.16.1-2.fc28.x86_64

Basically, the patch is: move line 1440 (krb = install_krb... ) to 1447 (ds.enable_ssl()) and insert it before 1468 (install_http(...)

Since the error is caused by xmlrpc_uri is set to env.host (which is the machine you're trying to install)

It feels like a better solution would be to have xmlrpc_uri set to the remote server and switch it back to the local host WHEN it's service is up and confirmed as running.

Verified again with a clean install, all update fedora 28 machines.

fedora-1.lab.lan - master server - installed, running and no firewall.

fedora-2.lab.lan - first replica - ipa-client-install worked, but ipa-replica-install failed.

Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR Certificate issuance failed (CA_REJECTED)

And:
[root@freeipa-2 fedora]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180525141223':
status: CA_REJECTED
ca-error: Server at https://freeipa-2.lab.lan/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://freeipa-2.lab.lan/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: Failed to connect to freeipa-2.lab.lan port 443: Connection refused).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-LAN/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-LAN',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LAB-LAN
track: yes
auto-renew: yes
[root@freeipa-2 fedora]#


I don't see this working for anyone - I suggest that this is a blocking bug.

I actually suspect this patch:
cb141b0

https://pastebin.com/tbwpwX7m - server setup log
https://pastebin.com/Ze9x5NJ9 - replication setup log with failure

Hi,
during replica installation, the installer is using certmonger to get a certificate for HTTP and LDAP. As you saw, certmonger tries first to contact the Dogtag server defined in xmlrpc_uri but this fails as Dogtag is not configured yet on the replica.
At this point, certmonger will try to find another dogtag server (you can have a look at certmonger sources ) where certmonger is using the DNS records for _ldap._tcp in the domain in order to find the other IPA masters.
In order to troubleshoot, you will need to find if certmonger actually found another IPA master and managed to contact it.

The logs above are two completely new installs, freeipa-1 is the server and freeipa-2 would be the first replica.

It doesn't work. Try it yourself, install fedora 28 on two machines and try it.

Hi,
I tried server + replica installation with 4.6.90.pre2-3.fc28 and did not have any issue. Are you sure about the version installed on your machines, because the logs mention "Configuring NTP daemon" and this part was removed in 4.6.90-pre2 in favor of chrony?

Your issue looks like #7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError that was happening on freeipa-server-4.6.90.pre1

Just want to comment that I ran into this after upgrading a three-replica cluster from 4.6.3 to 4.6.90-pre1, losing two out of the three replicas in the process and upgrading the final replica to 4.6.90-pre2. Clean installs of Fedora 28 with 4.6.90-pre2 on the other replicas ran into the this problem, where certmonger couldn't create a certificate because it was trying to use the local (non-running) http server.

I lost the logs when I restored our 4.6.3 setup from backups, but I did have DNS setup correctly on the last working replica, and _ldap._tcp was (and is) defined on it.

I'm not able to reproduce the issue with a fresh installation on Fedora 28. Both machines have all latest updates installed and use freeipa-server-4.6.90.pre2-3.fc28.x86_64

master

  1. dnf update -y --refresh
  2. ipa-server-install -r IPA.EXAMPLE -n ipa.example --hostname=master.ipa.example --ds-password=DMSecret456 --admin-password=Secret123 --setup-dns --unattended

replica with explicit server

  1. dnf update -y --refresh
  2. ipa-client-install --domain=ipa.example --server=master.ipa.example --principal=admin --password="Secret123" --unattended
  3. kinit admin
  4. ipa-replica-install --setup-ca

replica with DNS auto-discovery

  1. dnf update -y --refresh
  2. Modify /etc/resolv.conf to use master as only DNS server
  3. ipa-client-install --domain=ipa.example --principal=admin --password="Secret123" --unattended
  4. kinit admin
  5. ipa-replica-install --setup-ca

Are you using FreeIPA's DNS server or an external DNS server? In case of an external DNS server, did you add the necessary SRV and TXT records as documented?

dnf upgrade --refresh done today seems to fix all issues...

rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.6.90.pre2-3.fc28.x86_64
freeipa-client-4.6.90.pre2-3.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.9-2.fc28.x86_64
pki-ca-10.6.1-3.fc28.noarch
krb5-server-1.16.1-4.fc28.x86_64

Thank you for the update. In this case I will close this issue.

2 months ago

Metadata Update from @frenaud:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

cancel