Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPA CA install fails on a replica (@pki/master) #4777

Closed
amore17 opened this issue Jun 11, 2024 · 4 comments
Closed

IPA CA install fails on a replica (@pki/master) #4777

amore17 opened this issue Jun 11, 2024 · 4 comments

Comments

@amore17
Copy link

amore17 commented Jun 11, 2024

The installation of a CA on a replica fails when the @pki/master copr repository is enabled.

The error can be seen in FreeIPA nightly tests, for instance in PR #freeipa-pr-ci2/freeipa#3739 with the test test_replica_ipa_ca_install . Link to report and to logs

Reproducer:
Install CA less ipa-server and replica
Install CA on server using ipa-ca-install
Install CA on replica using ipa-ca-install

Version:
dogtag-pki-server-11.6.0-0.1.alpha1.20240608034429UTC.52cfef99.fc39.noarch

DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557   [5/29]: configuring certificate server instance
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557   [error] RuntimeError: CA configuration failed.
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 CA configuration failed.
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 Your system may be partly configured.
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 Run /usr/sbin/ipa-server-install --uninstall to clean up.
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:557 
DEBUG    ipatests.pytest_ipa.integration.host.Host.replica0.cmd133:transport.py:217 Exit code: 1
@amore17 amore17 mentioned this issue Jun 11, 2024
Closed
@edewata
Copy link
Contributor

edewata commented Jun 19, 2024

@fmarco76 The failure happened when it was calling /ca/admin/ca/updateNumberRange, so maybe it's the same as #4773.

@amore17 amore17 mentioned this issue Jun 20, 2024
Closed
@fmarco76
Copy link
Member

fmarco76 commented Jun 20, 2024
edited
Loading

@amore17 I have tried to reproduce this scenario but in my case it works. CA gets correctly installed in the replica

$ docker exec ipa-replica ipa-ca-install -p Secret.123
Running ipa-certupdate...done
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: creating certificate server db
  [2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [3/29]: creating ACIs for admin
  [4/29]: creating installation admin user
  [5/29]: configuring certificate server instance
  [6/29]: stopping certificate server instance to update CS.cfg
  [7/29]: backing up CS.cfg
  [8/29]: Add ipa-pki-wait-running
  [9/29]: secure AJP connector
  [10/29]: reindex attributes
  [11/29]: exporting Dogtag certificate store pin
  [12/29]: disabling nonces
  [13/29]: set up CRL publishing
  [14/29]: enable PKIX certificate path discovery and validation
  [15/29]: authorizing RA to modify profiles
  [16/29]: authorizing RA to manage lightweight CAs
  [17/29]: Ensure lightweight CAs container exists
  [18/29]: Enable lightweight CA monitor
  [19/29]: Ensuring backward compatibility
  [20/29]: destroying installation admin user
  [21/29]: starting certificate server instance
  [22/29]: Finalize replication settings
  [23/29]: configure certificate renewals
  [24/29]: Configure HTTP to proxy connections
  [25/29]: updating IPA configuration
  [26/29]: enabling CA instance
  [27/29]: importing IPA certificate profiles
  [28/29]: configuring certmonger renewal for lightweight CAs
  [29/29]: deploying ACME service

I have also tried to run the updateNumberRange command in the master and it works:

# pki  -U https://ipa.example.com:8443 --ignore-banner ca-range-request request --session 8773955912448944324 --output-format json
{
  "begin" : "9940001",
  "end" : "9950000"
}

Could you provide the exact command to reproduce this error?

I have tested on F 40 containers with the following packages:

[root@ipa ~]# rpm -qa|grep ipa
freeipa-healthcheck-core-0.16-5.fc40.noarch
freeipa-client-common-4.13.0.dev202406171852+git-0.fc40.noarch
libipa_hbac-2.9.5-1.fc40.x86_64
python3-libipa_hbac-2.9.5-1.fc40.x86_64
sssd-ipa-2.9.5-1.fc40.x86_64
freeipa-server-common-4.13.0.dev202406171852+git-0.fc40.noarch
freeipa-selinux-4.13.0.dev202406171852+git-0.fc40.noarch
freeipa-common-4.13.0.dev202406171852+git-0.fc40.noarch
python3-ipalib-4.13.0.dev202406171852+git-0.fc40.noarch
python3-ipaclient-4.13.0.dev202406171852+git-0.fc40.noarch
python3-ipaserver-4.13.0.dev202406171852+git-0.fc40.noarch
freeipa-client-4.13.0.dev202406171852+git-0.fc40.x86_64
freeipa-server-4.13.0.dev202406171852+git-0.fc40.x86_64
freeipa-server-dns-4.13.0.dev202406171852+git-0.fc40.noarch
freeipa-healthcheck-0.16-5.fc40.noarch
python3-ipatests-4.13.0.dev202406171852+git-0.fc40.noarch
[root@ipa ~]# rpm -qa|grep pki
pki-resteasy-jackson2-provider-3.0.26-31.fc40.noarch
pki-resteasy-core-3.0.26-31.fc40.noarch
pki-resteasy-client-3.0.26-31.fc40.noarch
pki-resteasy-servlet-initializer-3.0.26-31.fc40.noarch
python3-dogtag-pki-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-base-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-java-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-tools-11.6.0-0.1.alpha1.fc40.x86_64
dogtag-pki-server-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-acme-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-ca-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-est-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-kra-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-ocsp-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-tks-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-tps-11.6.0-0.1.alpha1.fc40.noarch
pki-debugsource-11.6.0-0.1.alpha1.fc40.x86_64
dogtag-pki-theme-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-tests-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-javadoc-11.6.0-0.1.alpha1.fc40.noarch
dogtag-pki-11.6.0-0.1.alpha1.fc40.x86_64
dogtag-pki-tools-debuginfo-11.6.0-0.1.alpha1.fc40.x86_64
krb5-pkinit-1.21.2-5.fc40.x86_64

Dogtag is built from master branch.

@flo-renaud flo-renaud mentioned this issue Jul 1, 2024
Closed
This was referenced Jul 3, 2024
Closed
Closed
@amore17 amore17 mentioned this issue Jul 15, 2024
Closed
@flo-renaud flo-renaud mentioned this issue Jul 30, 2024
Closed
This was referenced Aug 9, 2024
Closed
Closed
This was referenced Aug 21, 2024
Closed
Closed
@amore17 amore17 mentioned this issue Sep 2, 2024
Closed
@edewata
Copy link
Contributor

edewata commented Nov 8, 2024

@amore17 Hi, is this issue still happening?

@flo-renaud
Copy link

Not seen in our last run: freeipa-pr-ci2/freeipa#4166

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fmarco76 @flo-renaud @edewata @amore17