Bug 1403943
Summary: | Replica install fails with failed to configure ca on "White spaces are required between publicId and systemId" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Xiyang Dong <xdong> | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity: | unspecified | Docs Contact: | Petr Bokoc <pbokoc> | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Version: | 6.9 | CC: | alee, edewata, jcholast, ksiddiqu, mharmsen, mkosek, nsoman, pbokoc, pvoborni, sumenon, tlavigne, xdong | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Hardware: | Unspecified | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OS: | Unspecified | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Whiteboard: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fixed In Version: | pki-core-9.0.3-53.el6 | Doc Type: | Bug Fix | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Doc Text: |
IPA replica installation no longer fails due to malformed HTTP requests
A bug in _pki-core_ previously caused PKI to generate HTTP requests missing a *Host* header and using incorrect line delimiters during IPA replica installation. At the same time, an update to *httpd* caused these malformed requests to be rejected, even though they were accepted in previous versions, and as a result, IPA replica installations failed. This update to _pki-core_ fixes the problem in HTTP request generation, and replica installations now work as expected.
|
Story Points: | --- | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Last Closed: | 2017-03-21 11:59:47 UTC | Type: | Bug | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||||||||||||||||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||||||||||||||||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||||||||||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||||||||||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Attachments: |
|
Description
Xiyang Dong
2016-12-12 16:49:21 UTC
The SAXParseException indicates that the replica cannot parse master's response, possibly due to another error on the master, but it doesn't show the actual response (which would have helped troubleshooting). Could you attach the following files from the master? * /var/log/pki-ca/debug * /var/log/httpd/access_log-<YYYYMMDD> * /var/log/httpd/error_log-<YYYYMMDD> There's a possibility it's related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1400421 I suppose this scenario has been well tested in RHEL 6.8. Is it possible to retest this scenario using PKI packages from RHEL 6.8 but everything else from RHEL 6.9? Thanks. Created attachment 1231593 [details] pki-core-9.0.3-bz1403943.patch Assuming the problem is the same as in bug #1400421, I created a patch to add the missing server hostname in the HTTP request header. A test build is available here: https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6652/ Please retest with this build on RHEL 6.9. Thanks! (In reply to Endi Sukma Dewata from comment #5) > Created attachment 1231593 [details] > pki-core-9.0.3-bz1403943.patch > > Assuming the problem is the same as in bug #1400421, I created a patch to > add the missing server hostname in the HTTP request header. > > A test build is available here: > https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6652/ > > Please retest with this build on RHEL 6.9. Thanks! Retested and i still see the same failure. Thanks Kaleem. Did you install the test build on both master and replica? Could you post the master's and replica's debug logs? You might need to set debug.level=0 in the CS.cfg as well. Thanks. (In reply to Endi Sukma Dewata from comment #4) > The SAXParseException indicates that the replica cannot parse master's > response, possibly due to another error on the master, but it doesn't show > the actual response (which would have helped troubleshooting). Could you > attach the following files from the master? > * /var/log/pki-ca/debug > * /var/log/httpd/access_log-<YYYYMMDD> > * /var/log/httpd/error_log-<YYYYMMDD> > > There's a possibility it's related to this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1400421 > > I suppose this scenario has been well tested in RHEL 6.8. Is it possible to > retest this scenario using PKI packages from RHEL 6.8 but everything else > from RHEL 6.9? Thanks. Attached logs from master Created attachment 1231726 [details]
pki_ca_debug_master
Created attachment 1231734 [details]
http_access_log
Created attachment 1231742 [details]
http_error_log
Thanks Xiyang. According to the HTTP logs the following operations are rejected due to missing hostnames, just like in in bug #140042: 10.16.96.30 - - [13/Dec/2016:09:54:28 -0500] "POST /ca/admin/ca/getStatus HTTP/1.0" 400 313 10.16.96.30 - - [13/Dec/2016:09:54:28 -0500] "POST /ca/admin/ca/getCertChain HTTP/1.0" 400 313 [Tue Dec 13 09:54:28 2016] [error] Hostname mgmt3.testrelm.test provided via SNI, but no hostname provided in HTTP request [Tue Dec 13 09:54:28 2016] [error] Hostname mgmt3.testrelm.test provided via SNI, but no hostname provided in HTTP request The test build in comment #5 was supposed to fix these issues already. Are you and Kaleem testing on the same machines? Could you confirm that the build is installed on the replica? If you're installing the replica again, please before that set debug.level=0 in /usr/share/pki/ca/conf/CS.cfg on the replica so we can get more debugging info. Thanks. Hi Endi,I applied the patch to both server and replica but I am still seeing the same failure, with different pki-ca debug log on replica which I attached below. And I changed debug.level=10. Created attachment 1232212 [details]
pki_ca_debug_replica_patched
Thanks. Before the patch the execution failed in SecurityDomainPanel. After the patch it went further and failed in RestoreKeyCertPanel. The patch should have added the missing hostname for this panel too, so I think we're looking at a different issue. The problem is we're still not seeing the debug logs needed to investigate the problem. The logs should have shown the HTTP response that causes the SAXParseException. Could you make sure the debug.level=0 is set in /usr/share/pki/ca/conf/CS.cfg instead of /etc/pki-ca/CS.cfg on the replica? And that has to be done before running the replica installation because it will use whatever defined in /usr/share/pki/ca/conf/CS.cfg for the whole installation. On the master it can be set in /etc/pki-ca/CS.cfg after the master installation is done (since we're not investigating master installation). Please attach both master and replica logs. Thanks. Thanks, I attached the logs below , pleae check Created attachment 1232292 [details]
master_logs
Created attachment 1232293 [details]
replica_logs
Thanks for the logs. Apparently there are more locations with the same problem (missing hostname). I've created a new test build to fix that: https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/6690/ Please retest as follows: 1. Install the test build on master and replica. 2. On the master please make sure the debug.level in /etc/pki-ca/CS.cfg (not /usr/share/pki/ca/conf/CS.cfg) is set to 0 and restart the server. The debug logs in comment #17 did not show much information. 3. On the replica there's no need to change the debug.level since I've changed the default to 0 in this test build. 4. Rerun the replica installation. If it's still failing, please attach the new logs from master and replica. Thanks! This patch fixs the issue: [root@auto-hv-01-guest02 ~]# rpm -q pki-ca pki-ca-9.0.3-51.2.el6_8.noarch [root@auto-hv-01-guest02 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=$DNSFORWARD -w $ADMINPW -p $ADMINPW /opt/rhqa_ipa/replica-info-auto-hv-01-guest02.testrelm.test.gpg Run connection check to master Check connection from replica to remote master 'mgmt3.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Execute check on remote master Check connection from master to remote replica 'auto-hv-01-guest02.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance [4/17]: disabling nonces [5/17]: creating RA agent certificate database [6/17]: importing CA chain to RA certificate database [7/17]: fixing RA database permissions [8/17]: setting up signing cert profile [9/17]: set up CRL publishing [10/17]: set certificate subject base [11/17]: enabling Subject Key Identifier [12/17]: setting audit signing renewal to 2 years [13/17]: configuring certificate server to start on boot [14/17]: configure certmonger for renewals [15/17]: configure clone certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and certificate servers Configuring directory server (dirsrv): Estimated time 1 minute [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]: adding default schema [4/31]: enabling memberof plugin [5/31]: enabling winsync plugin [6/31]: configuring replication version plugin [7/31]: enabling IPA enrollment plugin [8/31]: enabling ldapi [9/31]: disabling betxn plugins [10/31]: configuring uniqueness plugin [11/31]: configuring uuid plugin [12/31]: configuring modrdn plugin [13/31]: enabling entryUSN plugin [14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance [18/31]: configuring certmap.conf [19/31]: configure autobind for root [20/31]: configure new location for managed entries [21/31]: restarting directory server [22/31]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation [29/31]: enabling compatibility plugin [30/31]: tuning directory server [31/31]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Using reverse zone 96.16.10.in-addr.arpa. Configuring DNS (named) [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Created attachment 1232783 [details] pki-core-9.0.3-bz1403943.patch Thanks Xiyang! Here is the final patch (replacing the old one). Matt, could you please take a look? Thanks! Verified on pki-ca-9.0.3-52.el6: [root@auto-hv-01-guest02 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=$DNSFORWARD -w $ADMINPW -p $ADMINPW /opt/rhqa_ipa/replica-info-auto-hv-01-guest02.testrelm.test.gpg Run connection check to master Check connection from replica to remote master 'mgmt3.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Execute check on remote master Check connection from master to remote replica 'auto-hv-01-guest02.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance [4/17]: disabling nonces [5/17]: creating RA agent certificate database [6/17]: importing CA chain to RA certificate database [7/17]: fixing RA database permissions [8/17]: setting up signing cert profile [9/17]: set up CRL publishing [10/17]: set certificate subject base [11/17]: enabling Subject Key Identifier [12/17]: setting audit signing renewal to 2 years [13/17]: configuring certificate server to start on boot [14/17]: configure certmonger for renewals [15/17]: configure clone certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and certificate servers Configuring directory server (dirsrv): Estimated time 1 minute [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]: adding default schema [4/31]: enabling memberof plugin [5/31]: enabling winsync plugin [6/31]: configuring replication version plugin [7/31]: enabling IPA enrollment plugin [8/31]: enabling ldapi [9/31]: disabling betxn plugins [10/31]: configuring uniqueness plugin [11/31]: configuring uuid plugin [12/31]: configuring modrdn plugin [13/31]: enabling entryUSN plugin [14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance [18/31]: configuring certmap.conf [19/31]: configure autobind for root [20/31]: configure new location for managed entries [21/31]: restarting directory server [22/31]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation [29/31]: enabling compatibility plugin [30/31]: tuning directory server [31/31]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Using reverse zone 96.16.10.in-addr.arpa. Configuring DNS (named) [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server [root@auto-hv-01-guest02 ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING Observations: Found that the replica installation on RHEL6.9 server fails at the below step i.e [3/17] "configuring certificate server instanceipa: CRITICAL failed to configure ca instance Command" Attaching the console log for reference and reopening the bug. Tested using the below rpms on RHEL6.9 [root@replica ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-51.el6.x86_64 ipa-server-3.0.0-51.el6.x86_64 sssd-krb5-common-1.13.3-52.el6.x86_64 sssd-krb5-1.13.3-52.el6.x86_64 sssd-client-1.13.3-52.el6.x86_64 sssd-ad-1.13.3-52.el6.x86_64 sssd-proxy-1.13.3-52.el6.x86_64 sssd-1.13.3-52.el6.x86_64 sssd-common-1.13.3-52.el6.x86_64 sssd-ipa-1.13.3-52.el6.x86_64 python-sssdconfig-1.13.3-52.el6.noarch sssd-ldap-1.13.3-52.el6.x86_64 sssd-common-pac-1.13.3-52.el6.x86_64 pki-ca-9.0.3-52.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch 389-ds-base-libs-1.2.11.15-88.el6.x86_64 389-ds-base-1.2.11.15-88.el6.x86_64 389-ds-base-debuginfo-1.2.11.15-85.el6.x86_64 Created attachment 1246627 [details]
Replica-Install Console Output
Created attachment 1246633 [details]
Replica install log
Sudhir, we need to see some additional logs. Could you do the following? 1. Clean up the failed replica installation or use a new machine. 2. On master set debug.level=0 in /etc/pki-ca/CS.cfg then restart the server. 3. On replica set debug.level=0 in /usr/share/pki/ca/conf/CS.cfg then start the installation. 4. Attach these log files from master: - /var/log/pki-ca/debug - /var/log/httpd/access_log-<YYYYMMDD> - /var/log/httpd/error_log-<YYYYMMDD> 5. Attach this log file from replica: - /var/log/pki-ca/debug Thanks. Have cleaned up the replica installation and tried the below steps. Please find the attached debug logs for your reference. Created attachment 1246997 [details]
httpd access log
Created attachment 1246998 [details]
httpd error log
Created attachment 1246999 [details]
pki master log
Created attachment 1247000 [details]
pki replica log
Thanks Sudhir. Could you attach /var/log/pki-ca/catalina.out from both master and replica as well? Thanks. Created attachment 1247365 [details]
Replica catalina.out
Created attachment 1247367 [details]
Master catalina.out
Thanks for the logs. Unfortunately it's still not very clear what is causing the latest problem. I have created a new test build that contains additional debugging logs and some possible fixes: https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/7687/ Please rerun the test with this build on both master and replica. If it's still failing please provide the same log files like above, or provide me the access to both test machines. Thanks. Hi Endi, I tried with new build pki-ca-9.0.3-52.1.el6_8.noarch and attached logs. Created attachment 1248098 [details]
pki_ca_debug.log
Created attachment 1248100 [details]
http_access_log
Created attachment 1248101 [details]
http_error_log
Created attachment 1248103 [details]
catalina.out
Created attachment 1248105 [details]
pki_ca_debug.log_replica
Created attachment 1248108 [details]
catalina.out_replica
Created attachment 1248111 [details]
replica-install.log
The problem seems to be triggered by the new HTTPD package in RHEL 6.9 which imposes more strict requirements for incoming HTTP requests (see bug #1412974). During IPA replica installation the PKI replica talks to PKI master via HTTPD proxy set up by IPA on the master. In RHEL 6.9 PKI is still using a custom (and outdated) HTTP client which sends out non-conforming HTTP requests, so the installation failed. To fix this problem the HTTP client in PKI needs to be replaced or fixed to send the proper HTTP requests. In the mean time the failure could be avoided by downgrading HTTPD package on the master to version 2.2.15-56.el6_8.3 (confirmed by Xiyang). Xiyang, could you try the following test build with the latest HTTPD package on both master and replica? https://copr.devel.redhat.com/coprs/edewata/pki-rhel-6/build/7777/ Thanks. Endi,replica install successful with latest httpd and pki-core build: On master&replica: # rpm -qa|egrep "pki-|httpd" pki-util-9.0.3-52.2.el6_8.noarch pki-setup-9.0.3-52.2.el6_8.noarch pki-selinux-9.0.3-52.2.el6_8.noarch pki-symkey-9.0.3-52.2.el6_8.x86_64 pki-java-tools-9.0.3-52.2.el6_8.noarch pki-common-9.0.3-52.2.el6_8.noarch pki-ca-9.0.3-52.2.el6_8.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch httpd-tools-2.2.15-60.el6.x86_64 pki-native-tools-9.0.3-52.2.el6_8.x86_64 pki-silent-9.0.3-52.2.el6_8.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch httpd-2.2.15-60.el6.x86_64 On replica # ipa-replica-install --setup-ca --setup-dns --forwarder=10.11.5.19 replica-info-dhcp207-171.testrelm.test.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'dhcp207-4.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin password: Execute check on remote master Check connection from master to remote replica 'dhcp207-171.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance [4/17]: disabling nonces [5/17]: creating RA agent certificate database [6/17]: importing CA chain to RA certificate database [7/17]: fixing RA database permissions [8/17]: setting up signing cert profile [9/17]: set up CRL publishing [10/17]: set certificate subject base [11/17]: enabling Subject Key Identifier [12/17]: setting audit signing renewal to 2 years [13/17]: configuring certificate server to start on boot [14/17]: configure certmonger for renewals [15/17]: configure clone certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and certificate servers Configuring directory server (dirsrv): Estimated time 31 minutes [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]: adding default schema [4/31]: enabling memberof plugin [5/31]: enabling winsync plugin [6/31]: configuring replication version plugin [7/31]: enabling IPA enrollment plugin [8/31]: enabling ldapi [9/31]: disabling betxn plugins [10/31]: configuring uniqueness plugin [11/31]: configuring uuid plugin [12/31]: configuring modrdn plugin [13/31]: enabling entryUSN plugin [14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance [18/31]: configuring certmap.conf [19/31]: configure autobind for root [20/31]: configure new location for managed entries [21/31]: restarting directory server [22/31]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation [29/31]: enabling compatibility plugin [30/31]: tuning directory server [31/31]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 31 minutes [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Using reverse zone 207.65.10.in-addr.arpa. Configuring DNS (named) [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Created attachment 1248634 [details] pki-core-9.0.3-bz1403943-2.patch Thanks, Xiyang! The pki-core-9.0.3-bz1403943-2.patch contains the additional changes required to work with the latest HTTPD. It should be applied on top of the previous pki-core-9.0.3-bz1403943.patch which fixed the missing Host headers. Alternatively, the patches can be merged into a single file. Verified on pki-ca-9.0.3-53.el6: # rpm -qa|egrep "pki-|httpd|ipa-server" pki-symkey-9.0.3-53.el6.x86_64 pki-java-tools-9.0.3-53.el6.noarch pki-util-9.0.3-53.el6.noarch pki-native-tools-9.0.3-53.el6.x86_64 pki-common-9.0.3-53.el6.noarch pki-silent-9.0.3-53.el6.noarch ipa-server-3.0.0-51.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch httpd-tools-2.2.15-60.el6.x86_64 pki-selinux-9.0.3-53.el6.noarch pki-setup-9.0.3-53.el6.noarch pki-ca-9.0.3-53.el6.noarch ipa-server-selinux-3.0.0-51.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch httpd-2.2.15-60.el6.x86_64 # ipa-replica-install --setup-ca --setup-dns --forwarder=10.11.5.19 replica-info-dhcp207-171.testrelm.test.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'dhcp207-4.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin password: Execute check on remote master Check connection from master to remote replica 'dhcp207-171.testrelm.test': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 minutes 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 33 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance [4/17]: disabling nonces [5/17]: creating RA agent certificate database [6/17]: importing CA chain to RA certificate database [7/17]: fixing RA database permissions [8/17]: setting up signing cert profile [9/17]: set up CRL publishing [10/17]: set certificate subject base [11/17]: enabling Subject Key Identifier [12/17]: setting audit signing renewal to 2 years [13/17]: configuring certificate server to start on boot [14/17]: configure certmonger for renewals [15/17]: configure clone certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and certificate servers Configuring directory server (dirsrv): Estimated time 31 minutes [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]: adding default schema [4/31]: enabling memberof plugin [5/31]: enabling winsync plugin [6/31]: configuring replication version plugin [7/31]: enabling IPA enrollment plugin [8/31]: enabling ldapi [9/31]: disabling betxn plugins [10/31]: configuring uniqueness plugin [11/31]: configuring uuid plugin [12/31]: configuring modrdn plugin [13/31]: enabling entryUSN plugin [14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance [18/31]: configuring certmap.conf [19/31]: configure autobind for root [20/31]: configure new location for managed entries [21/31]: restarting directory server [22/31]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation [29/31]: enabling compatibility plugin [30/31]: tuning directory server [31/31]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 minutes 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 31 minutes [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Using reverse zone 207.65.10.in-addr.arpa. Configuring DNS (named) [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0802.html |