freeipa

Clone
Source Code
GIT

#7655 PKINIT configuration fails while promoting a replica using IPA 4.7.0
Closed: fixed 7 years ago Opened 7 years ago by twoerner.

Closed: fixed
Reopen Issue

Description of problem

PKINIT configuration fails while promoting a replica using IPA 4.7.0.

This can be seen also in the PRCI test fedora-28/replica_promotion for https://github.com/freeipa/freeipa/pull/2187:

/var/log/ipareplica-install.log (http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d4ce181c-91a7-11e8-bb6f-fa163eca93a5/test_replica_promotion.py-TestSubCAkeyReplication--test_subca_replica/replica0.ipa.test/var/log/ipareplica-install.log.gz):

2018-07-27T14:35:12Z DEBUG Configuring Kerberos KDC (krb5kdc)
2018-07-27T14:35:12Z DEBUG   [1/1]: installing X509 Certificate for PKINIT
2018-07-27T14:35:12Z DEBUG certmonger request is in state dbus.String('GENERATING_KEY_PAIR', variant_level=1)
2018-07-27T14:35:17Z DEBUG certmonger request is in state dbus.String('SUBMITTING', variant_level=1)
2018-07-27T14:35:22Z DEBUG certmonger request is in state dbus.String('SUBMITTING', variant_level=1)
2018-07-27T14:35:27Z DEBUG certmonger request is in state dbus.String('CA_REJECTED', variant_level=1)
2018-07-27T14:35:27Z DEBUG Cert request 20180727143512 failed: CA_REJECTED (Server at https://replica0.ipa.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'replica0.ipa.test' is not an active KDC).)
2018-07-27T14:35:27Z DEBUG Sleep and resubmit cert request 20180727143512
2018-07-27T14:35:37Z DEBUG certmonger request is in state dbus.String('GENERATING_CSR', variant_level=1)
2018-07-27T14:35:42Z DEBUG certmonger request is in state dbus.String('CA_REJECTED', variant_level=1)
2018-07-27T14:35:42Z DEBUG Cert request 20180727143512 failed: CA_REJECTED (Server at https://replica0.ipa.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'replica0.ipa.test' is not an active KDC).)
2018-07-27T14:35:42Z DEBUG Sleep and resubmit cert request 20180727143512
...
2018-07-27T14:40:13Z DEBUG Cert request 20180727143512 failed: CA_REJECTED (Server at https://replica0.ipa.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'replica0.ipa.test' is not an active KDC).)
2018-07-27T14:40:13Z DEBUG Request 20180727143512 reached resubmit dead line
2018-07-27T14:40:13Z WARNING PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: Server at https://replica0.ipa.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'replica0.ipa.test' is not an active KDC).)
2018-07-27T14:40:13Z WARNING Failed to configure PKINIT
2018-07-27T14:40:13Z DEBUG Full PKINIT configuration did not succeed

Steps to Reproduce

  1. Install IPA server
  2. Install IPA replica using this server
  3. See /var/log/ipareplica-install.log
  4. Use ipa-pkinit-manage status

Actual behavior

ipa-replica-install is taking some extra time in "Configuring Kerberos KDC (krb5kdc)" and PKINIT is not configured and not enabled.

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful

Expected behavior

PKINIT configured and enabled.

Version/Release/Distribution

# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.7.0-1.fc29.x86_64
freeipa-client-4.7.0-1.fc29.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.13-1.fc28.x86_64
pki-ca-10.6.1-3.fc28.noarch
krb5-server-1.16.1-13.fc28.x86_64

Additional info:

This is not only happening in the PRCI test. This is happening for me all the time trying to install a replica using 4.7.0.

Metadata Update from @abiagion:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.7.1
7 years ago

Metadata Update from @abiagion:
- Issue tagged with: regression
7 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud
7 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1623486
7 years ago

Issue linked to Bugzilla: Bug 1623486

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2326
- Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1623486)
7 years ago

As the regression is also present on ipa-4-5, ipa-4-6 and ipa-4-7 branches, moving the milestone to 4.5.5

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.7.1)
7 years ago

master:

  • 2a227c2 ipa-replica-install: fix pkinit setup
  • bcfd18f Tests: test successful PKINIT install on replica
Edited 7 years ago by frenaud

ipa-4-5:

  • 2ff9684 ipa-replica-install: fix pkinit setup
  • 5b8531e Tests: test successful PKINIT install on replica

ipa-4-6:

  • e02041d ipa-replica-install: fix pkinit setup
  • 2a2fd08 Tests: test successful PKINIT install on replica

ipa-4-7:

  • 09c78a1 ipa-replica-install: fix pkinit setup
  • 5ea8f8a Tests: test successful PKINIT install on replica

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 years ago

Log in to comment on this ticket.

Metadata

regression

None
None
critical
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/2326
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.