Bug 1438833

Summary: [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ksiddiqu, mreznik, ndehadra, pvoborni, rcritten, tkrizek, tmihinto, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1477178 (view as bug list) Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477178    

Description Petr Vobornik 2017-04-04 13:53:01 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6838

ipa-replica-install fails in test scenario with 3 replicas returning:

```text
2017-03-30T12:18:09Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host/replica1.ipa.test for url: https://master.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.st5sUjSqgZ0YUXqSrRDB0jBMnT4tZDiau13OW1Tazfmz8vQKL5ngB41qr69CN1gHy3eiWqmJPK_f8MJsBcydxw61mifpoAVS9BvPm0-OTXppc7ihrwsnAso3lYL5KU4zsNUvZw3rDLhc22gLZyYqKzLDhH-EglRjjHxtfJ5dimPjEU9HXMv310gZt-D57_K0VWZt7lv-Vkb_3fppkNeLrm7wK82RcgsE680BFGdAq6DNiG1zrXcZVV0oR1alPpa7EJHey0HaqvGIX1dzYrCD2_-z2kO-20IFC1fePpItM6fynVUFJMk_u8aRNSB3ea2WMyetJNXrbB_rRKiCEjqGEg.b7W6VA-gFQ4pPJd06kKY1w.-41PkK511sCnRZ7w_StI9iVhfc5YB4grxndI-YkbwIivJ2ZZtHDhDlMtn-FjtDITMmECUBbrtopjvWcz688fNs93JVQ4W2sxmR96ETOQolnTqN693Xot3pZt0UZMPsbdSrIR1nQRiF03TfuJeGBjs1HlnZ36VhSpP1t8u_pagTLEGoRYrRPu9jMH6-T7C74_a1aEEL5gherssIWNNEchVPGlf16U-iCrBRdu2HRijzXMdIEmB-uGiTBjMtO8WhGOXq8hKdzGfpYi9d8E67qOAC6TOnoYVpe7eyPyhtQgAiPXK_m-T8Z8Y8v3LBEYp5ezFY2eZ4KXqyneNwsw1PsDHC7Eb5x-5IJOJBarb_L8d706kjPwdFSu9L0X47w9TTAK7QxPDCJclEl-Uft2GvZrgHTZtkaF3SOOmMh-Pjv5fq4M8-_gnBTP7ClyOUJufLXvPrdD20lq0DxARmmwith11d3QJ5Lt1Bj7HuCq9-29FuQxtWpPIIRA9IVIU3pfjtdzNJwCoP0H7SyewM4-q_WcwLR92r7qSF-94gd-f9NKnNGYiecOEy1gkdoM4DIOUo2uYAtbRyrrJMrKES_s2FYRnXUBsgKRnTBjZ-4sffjd4C1X72__AxtI2_ZHjzkW54fn5UPv5MumuakLNYaCG1yGqQ.HIaJTgkRi2Ii6ZKOFidJP8ZM3IQFgjZMZZ_Xnoz8gZ4
2017-03-30T12:18:09Z ERROR 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host/replica1.ipa.test for url: https://master.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.st5sUjSqgZ0YUXqSrRDB0jBMnT4tZDiau13OW1Tazfmz8vQKL5ngB41qr69CN1gHy3eiWqmJPK_f8MJsBcydxw61mifpoAVS9BvPm0-OTXppc7ihrwsnAso3lYL5KU4zsNUvZw3rDLhc22gLZyYqKzLDhH-EglRjjHxtfJ5dimPjEU9HXMv310gZt-D57_K0VWZt7lv-Vkb_3fppkNeLrm7wK82RcgsE680BFGdAq6DNiG1zrXcZVV0oR1alPpa7EJHey0HaqvGIX1dzYrCD2_-z2kO-20IFC1fePpItM6fynVUFJMk_u8aRNSB3ea2WMyetJNXrbB_rRKiCEjqGEg.b7W6VA-gFQ4pPJd06kKY1w.-41PkK511sCnRZ7w_StI9iVhfc5YB4grxndI-YkbwIivJ2ZZtHDhDlMtn-FjtDITMmECUBbrtopjvWcz688fNs93JVQ4W2sxmR96ETOQolnTqN693Xot3pZt0UZMPsbdSrIR1nQRiF03TfuJeGBjs1HlnZ36VhSpP1t8u_pagTLEGoRYrRPu9jMH6-T7C74_a1aEEL5gherssIWNNEchVPGlf16U-iCrBRdu2HRijzXMdIEmB-uGiTBjMtO8WhGOXq8hKdzGfpYi9d8E67qOAC6TOnoYVpe7eyPyhtQgAiPXK_m-T8Z8Y8v3LBEYp5ezFY2eZ4KXqyneNwsw1PsDHC7Eb5x-5IJOJBarb_L8d706kjPwdFSu9L0X47w9TTAK7QxPDCJclEl-Uft2GvZrgHTZtkaF3SOOmMh-Pjv5fq4M8-_gnBTP7ClyOUJufLXvPrdD20lq0DxARmmwith11d3QJ5Lt1Bj7HuCq9-29FuQxtWpPIIRA9IVIU3pfjtdzNJwCoP0H7SyewM4-q_WcwLR92r7qSF-94gd-f9NKnNGYiecOEy1gkdoM4DIOUo2uYAtbRyrrJMrKES_s2FYRnXUBsgKRnTBjZ-4sffjd4C1X72__AxtI2_ZHjzkW54fn5UPv5MumuakLNYaCG1yGqQ.HIaJTgkRi2Ii6ZKOFidJP8ZM3IQFgjZMZZ_Xnoz8gZ4
```

However in LDAP everything looks fine - 2 entries * 4 machines + dogtag container. Consulted with "cheimes" and looks like a race condition. 

```text
[root@replica1 ~]# rpm -qa | egrep "custodia|freeipa"
freeipa-server-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-server-trust-ad-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
freeipa-client-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
custodia-0.3.1-1.fc25.noarch
freeipa-server-dns-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-python-compat-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-debuginfo-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
freeipa-client-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
python3-custodia-0.3.1-1.fc25.noarch
freeipa-server-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
python2-custodia-0.3.1-1.fc25.noarch
```
Comment 2 Petr Vobornik 2017-04-04 13:53:17 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6838
Comment 3 Tomas Krizek 2017-05-03 14:39:01 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/5f8d1119fe38807e86930af50d3680e28efe68eb
master:
https://pagure.io/freeipa/c/1f9f84a66d6cf9391b91ee4a13ac0f1119212578
Comment 17 Nikhil Dehadrai 2017-06-12 10:36:46 UTC 
IPA: ipa-server-4.5.0-16.el7.x86_64

Tested that IPA-replica-install under race condition is successful.

I noticed that I am able to install 7 Replicas (Star TOPOLOGY) in this case and installation if IPA-Replica is successful in each case. 

Thus on the basis of above observations and comment#15 and comment#16, marking the status of bug to "VERIFIED".
Comment 18 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304