The nightly test test_replication_layouts.py::TestLineTopologyWithoutCA::test_line_topology_without_ca is failing on the master branch. See for instance PR #3303 with the following logs and report:
test_replication_layouts.py::TestLineTopologyWithoutCA::test_line_topology_without_ca
self = <ipatests.test_integration.test_replication_layouts.TestLineTopologyWithoutCA object at 0x7ff4b968a3d0> def test_line_topology_without_ca(self): > tasks.install_topo('line', self.master, self.replicas, [], setup_replica_cas=False)
Test scenario: - install master with CA and DNS - install replica0 in 2 steps: ipa-client-install --server master.ipa.test [...] and ipa-replica-install (no CA, no DNS) - install replica1 in 2 steps: ipa-client-install --server replica0.ipa.test [...] and ipa-replica-install (no CA, no DNS)
The installation of replica1 fails trying right after custodia is setup:
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. 404 Client Error: Not Found for url: https://replica0.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.ZVM5xlXxZKeeCMbjMeQJOCNg5-pJBo7XNbauxa4kPY73Iy6UbbXB9ikUwlieKGxUYfbwSbtXs78KSUfl7p4vIaXItPP8V9NkmE8f0ejMtNY6xR3ZxuMqaA6Bm2q3nvgV7t5zRp94kkEsxZqut9h-pkM2kBv4Yn3EhbqZ7AQOzE8wNrt2R7qwDgfy6BvFmID216IwlIFirkPn9K3NAZgWOqL-CrbMC7CZWyUUbRt9hTFm2N0wOeXY6T--zn1Ewz2vu9IMCC9uuzO4XT-R9Zd_MR-t5KBr_FfKNHHwIty0j9LXqJH6CGp2g_ZBCin4K6W05bky23zCoOcPRd6cs9Adwg.jIremR6i9sG5vg5aiaNFkg.ROzu3Hp5fHBZnLCKTGtyMcbpxaholQVEyH7DRBJPI-YXtu9H-YsxGkh0bGAmkpQSpKhNqIGlghivenQ14MxGCkqrqTwO0nwpdYorbBs-28vNvdgXyOtspIY-ZI_kG9IkR8yf8hWBVxdHT1xECj3b6tPp1rxHmIm_aEiVM0ULYDloi1lTibEBUcg7JlgBRalWsXm-vng1CIwO2WZNy1sDGGIQnBpa96-8lpJjxNBxsc5RK9a1bChZWNOhG-Hg9-F-gJPHXdNd8zEBDz11xkk1Tn7dFDLpVZDNs1yH-y_AXNLFwq94TlrQP9HsABN-8NqtS_z4JbPzLw4hERoO0w7s71Mq6b3yB2nZ_K-U7wo7e24quRXRaTitV6KZP1W282-eGBrBNacZnZC9-XxKMDVO7lgmaOVFz7w8TcImHn6QYXcgnRQ1j8rimJoOZ1tqW5m-UQSSE2g8vwQCpkpAqCTkKMRLbRkWPnxxvRQGA8Uax80U0-RYPnM9D05yupL4CfP0RiOqiI6NFdKwNRDppRIrQreQzNitG_mCz2zx0vMbAHr21pzb7fyWaBQT-Omu_qajV1TzLmuBoCtw6NhIXTjz1T-JFIntN-ZO_zc5IPQc5_2fJ8ZTB4GfRRZa89JBxT4YcCpby_4ut54rl31_z3E79Q._mzmLJ17V7ZAj7vrv-FD_hvwBVdl05UFOlxlGfrVuRY The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Exit code: 1
The ipareplica-install.log file shows that the installer is trying to setup the CA:
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/__init__.py", line 599, in main replica_install(self) File "/usr/lib/python3.11/site-packages/ipaserver/install/server/replicainstall.py", line 383, in decorated func(installer) File "/usr/lib/python3.11/site-packages/ipaserver/install/server/replicainstall.py", line 1366, in install ca.install(False, config, options, custodia=custodia) File "/usr/lib/python3.11/site-packages/ipaserver/install/ca.py", line 354, in install install_step_0(standalone, replica_config, options, custodia=custodia) File "/usr/lib/python3.11/site-packages/ipaserver/install/ca.py", line 390, in install_step_0 custodia.get_ca_keys( File "/usr/lib/python3.11/site-packages/ipaserver/install/custodiainstance.py", line 296, in get_ca_keys self._get_keys(cacerts_file, cacerts_pwd, data) File "/usr/lib/python3.11/site-packages/ipaserver/install/custodiainstance.py", line 262, in _get_keys value = cli.fetch_key(os.path.join(prefix, nickname), False) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaserver/secrets/client.py", line 123, in fetch_key r.raise_for_status() File "/usr/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self)
although the replica is installed without a CA.
The following lines: https://pagure.io/freeipa/blob/2a95a05f9e2b965d0a5f5946d59f614d8baea8e2/f/ipaserver/install/server/replicainstall.py#_1361-1366
should probably be executed if options.setup_ca and ca_enabled instead of if ca_enabled
if options.setup_ca and ca_enabled
if ca_enabled
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-21809
master:
ipa-4-11:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
The patch introduces a new issue: when a replica is installed without the CA role, the installer does not configure the tracking for ra-agent and the RA key is not imported. See for instance in the nightly tests PR #3323 with the test fedora-latest/test_ipahealthcheck (report).
fedora-latest/test_ipahealthcheck
The code is highly misleading but the call to ca.install() is needed even when you don't need to install a CA clone, because it performs the retrieval of RA key + configuration of certmonger tracking req for it.
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-21809, https://issues.redhat.com/browse/RHEL-22283 (was: https://issues.redhat.com/browse/RHEL-21809)
Log in to comment on this ticket.