#9510 Nightly test failure in test_replication_layouts.py::TestLineTopologyWithoutCA::test_line_topology_without_ca
Closed: fixed a year ago by frenaud. Opened a year ago by frenaud.

The nightly test test_replication_layouts.py::TestLineTopologyWithoutCA::test_line_topology_without_ca is failing on the master branch. See for instance PR #3303 with the following logs and report:

self = <ipatests.test_integration.test_replication_layouts.TestLineTopologyWithoutCA object at 0x7ff4b968a3d0>

    def test_line_topology_without_ca(self):
>       tasks.install_topo('line', self.master, self.replicas, [],
                           setup_replica_cas=False)

Test scenario:
- install master with CA and DNS
- install replica0 in 2 steps: ipa-client-install --server master.ipa.test [...] and ipa-replica-install (no CA, no DNS)
- install replica1 in 2 steps: ipa-client-install --server replica0.ipa.test [...] and ipa-replica-install (no CA, no DNS)

The installation of replica1 fails trying right after custodia is setup:

Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
404 Client Error: Not Found for url: https://replica0.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.ZVM5xlXxZKeeCMbjMeQJOCNg5-pJBo7XNbauxa4kPY73Iy6UbbXB9ikUwlieKGxUYfbwSbtXs78KSUfl7p4vIaXItPP8V9NkmE8f0ejMtNY6xR3ZxuMqaA6Bm2q3nvgV7t5zRp94kkEsxZqut9h-pkM2kBv4Yn3EhbqZ7AQOzE8wNrt2R7qwDgfy6BvFmID216IwlIFirkPn9K3NAZgWOqL-CrbMC7CZWyUUbRt9hTFm2N0wOeXY6T--zn1Ewz2vu9IMCC9uuzO4XT-R9Zd_MR-t5KBr_FfKNHHwIty0j9LXqJH6CGp2g_ZBCin4K6W05bky23zCoOcPRd6cs9Adwg.jIremR6i9sG5vg5aiaNFkg.ROzu3Hp5fHBZnLCKTGtyMcbpxaholQVEyH7DRBJPI-YXtu9H-YsxGkh0bGAmkpQSpKhNqIGlghivenQ14MxGCkqrqTwO0nwpdYorbBs-28vNvdgXyOtspIY-ZI_kG9IkR8yf8hWBVxdHT1xECj3b6tPp1rxHmIm_aEiVM0ULYDloi1lTibEBUcg7JlgBRalWsXm-vng1CIwO2WZNy1sDGGIQnBpa96-8lpJjxNBxsc5RK9a1bChZWNOhG-Hg9-F-gJPHXdNd8zEBDz11xkk1Tn7dFDLpVZDNs1yH-y_AXNLFwq94TlrQP9HsABN-8NqtS_z4JbPzLw4hERoO0w7s71Mq6b3yB2nZ_K-U7wo7e24quRXRaTitV6KZP1W282-eGBrBNacZnZC9-XxKMDVO7lgmaOVFz7w8TcImHn6QYXcgnRQ1j8rimJoOZ1tqW5m-UQSSE2g8vwQCpkpAqCTkKMRLbRkWPnxxvRQGA8Uax80U0-RYPnM9D05yupL4CfP0RiOqiI6NFdKwNRDppRIrQreQzNitG_mCz2zx0vMbAHr21pzb7fyWaBQT-Omu_qajV1TzLmuBoCtw6NhIXTjz1T-JFIntN-ZO_zc5IPQc5_2fJ8ZTB4GfRRZa89JBxT4YcCpby_4ut54rl31_z3E79Q._mzmLJ17V7ZAj7vrv-FD_hvwBVdl05UFOlxlGfrVuRY
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Exit code: 1

The ipareplica-install.log file shows that the installer is trying to setup the CA:

  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/__init__.py", line 599, in main
    replica_install(self)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/replicainstall.py", line 383, in decorated
    func(installer)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/server/replicainstall.py", line 1366, in install
    ca.install(False, config, options, custodia=custodia)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/ca.py", line 354, in install
    install_step_0(standalone, replica_config, options, custodia=custodia)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/ca.py", line 390, in install_step_0
    custodia.get_ca_keys(
  File "/usr/lib/python3.11/site-packages/ipaserver/install/custodiainstance.py", line 296, in get_ca_keys
    self._get_keys(cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python3.11/site-packages/ipaserver/install/custodiainstance.py", line 262, in _get_keys
    value = cli.fetch_key(os.path.join(prefix, nickname), False)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/ipaserver/secrets/client.py", line 123, in fetch_key
    r.raise_for_status()
  File "/usr/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)

although the replica is installed without a CA.


The following lines: https://pagure.io/freeipa/blob/2a95a05f9e2b965d0a5f5946d59f614d8baea8e2/f/ipaserver/install/server/replicainstall.py#_1361-1366

should probably be executed if options.setup_ca and ca_enabled instead of if ca_enabled

Metadata Update from @rcritten:
- Issue assigned to rcritten

a year ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-21809

a year ago

master:

  • 3645543 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-11:

  • 851ce93 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-10:

  • a55f331 Server affinity: Don't rely just on [ca|kra]_enabled for installs

ipa-4-9:

  • 701339d Server affinity: Don't rely just on [ca|kra]_enabled for installs

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

The patch introduces a new issue: when a replica is installed without the CA role, the installer does not configure the tracking for ra-agent and the RA key is not imported.
See for instance in the nightly tests PR #3323 with the test fedora-latest/test_ipahealthcheck (report).

The code is highly misleading but the call to ca.install() is needed even when you don't need to install a CA clone, because it performs the retrieval of RA key + configuration of certmonger tracking req for it.

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)

a year ago

master:

  • e6014a5 Server affinity: call ca.install() if there is a CA in the topology

ipa-4-11:

  • 5dbb310 Server affinity: call ca.install() if there is a CA in the topology

ipa-4-10:

  • 03d0d3a Server affinity: call ca.install() if there is a CA in the topology

ipa-4-9:

  • b54d5c8 Server affinity: call ca.install() if there is a CA in the topology

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata