Setup of replica server is not completing w/o error.
Setup of FreeIPA replica server fails in step ipa-pkinit-manage.
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Error 7 connecting to https://ipa-replica.mydomain.de:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect to server.) Failed to configure PKINIT Full PKINIT configuration did not succeed
[root@ipa-replica ~]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.7.0-3.fc29.x86_64 freeipa-client-4.7.0-3.fc29.x86_64 Das Paket ipa-server ist nicht installiert Das Paket ipa-client ist nicht installiert 389-ds-base-1.4.0.16-1.fc29.x86_64 pki-ca-10.6.6-2.fc29.noarch krb5-server-1.16.1-21.fc29.x86_64
[root@ipa-replica ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Error 7 connecting to https://ipa-replica.mydomain.de:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect to server.) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful
In my opinion this issue is related to this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1493531
This is a duplicate of issue 7655 , also tracked as BZ 1623486. Issue is fixed in 4.7.1.
Metadata Update from @frenaud: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
Ah, sorry I did not realize this was related to the conversation on devel list
The issue is rather than ipa-pkinit-manage enable is failing when run on a replica that doesn't host the CA instance. Renaming the issue to correctly reflect the problem.
Full reproduction steps: 1. install server with CA 2. install replica (4.7.0) without CA instance (do not provide --setup-ca) ipa-replica-install logs a warning about failing PKINIT configuration. This is a known issue (7655). 3. run ipa-pkinit-manage enable, succeeds but the KDC cert is still self-signed instead of being signed by IPA CA. Known issue 7200. 4. on the replica, rm /var/kerberos/krb5kdc/kdc.crt and /var/kerberos/krb5kdc/kdc.key, then re-run ipa-pkinit-manage enable The command fails trying to contact PKI on the local host (there is no PKI on the local host).
Probable cause: ipaserver/install/krbinstance.py, in the method _call_certmonger:
if use_dogtag_submit: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper( certmonger_ca, helper )
The code is always connecting locally (self.fqdn) but it should check on which host the CA is deployed.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2706 - Issue set to the milestone: FreeIPA 4.7.3
master:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1795890
Issue linked to Bugzilla: Bug 1795890
ipa-4-6:
Login to comment on this ticket.