Bug 1442815

Summary: Replica install fails during migration from older IPA master
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: edewata, jcholast, mbasti, nsoman, pvoborni, rcritten, slaznick, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:48:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
rhel69 master pki debug
none
rhel74 replica pki debug
none
beaker console output for replica install none

Description Kaleem 2017-04-17 16:27:00 UTC 
Created attachment 1272108 [details]
rhel69 master pki debug

Description of problem:
During Replica install on RHEL-7.4 from RHEL-6.9 master, pki instance creation fails with following error message.

------------------------------
  [10/28]: importing RA certificate from PKCS #12 file
  [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@hp-dl380pgen8-02-vm-7 ~]#

------------------------------

Version-Release number of selected component (if applicable):
6.9 master
-----------
[root@kvm-guest-03 ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-53.el6.noarch
ipa-server-3.0.0-51.el6.x86_64
[root@kvm-guest-03 ~]# 

7.4 replica
------------
[root@hp-dl380pgen8-02-vm-7 ~]# rpm -q ipa-server pki-ca selinux-policy
ipa-server-4.5.0-6.el7.x86_64
pki-ca-10.4.1-1.el7.noarch
selinux-policy-3.13.1-142.el7.noarch
[root@hp-dl380pgen8-02-vm-7 ~]#
[root@hp-dl380pgen8-02-vm-7 ~]# getenforce 
Permissive
[root@hp-dl380pgen8-02-vm-7 ~]# cat /var/log/audit/audit.log |audit2allow 
#============= gssproxy_t ==============
allow gssproxy_t self:capability dac_override;
#============= tomcat_t ==============
allow tomcat_t user_tmp_t:file open;
[root@hp-dl380pgen8-02-vm-7 ~]# 


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-6.9 master
2. Preate replica gpg for RHEL-7.4 replica
3. Install replica on RHEL-7.4 using gpg file from step 2

Actual results:
Replica install fails

Expected results:
Replica install should be successful

Additional info:
Please find the attached pki debug log from Master and Replica
Comment 2 Kaleem 2017-04-17 16:28:17 UTC 
Created attachment 1272109 [details]
rhel74 replica pki debug
Comment 3 Endi Sukma Dewata 2017-04-17 17:24:58 UTC 
The failure is actually happening in IPA in CAInstance.import_ra_cert(). I'm moving this ticket to IPA.
Comment 5 Standa Laznicka 2017-04-19 10:26:58 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6878
Comment 6 Jan Cholasta 2017-04-19 12:37:32 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/6f0a622d83ee22ce712a380d1701cb1f383689e4
ipa-4-5:
https://pagure.io/freeipa/c/3f70baf2a4811e3eee341aee6da99dfa80c092e6
Comment 8 Kaleem 2017-04-24 07:14:18 UTC 
:: [ 08:42:40 ] ::   ipa-server-4.5.0-7.el7.x86_64
..
.....
:: [  BEGIN   ] :: Running ' /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=10.16.36.29 -w xxxxxxxxx -p xxxxxxxxx /opt/rhqa_ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.test.gpg'
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: enabling ldapi
  [3/41]: configure autobind for root
  [4/41]: stopping directory server
  [5/41]: updating configuration in dse.ldif
  [6/41]: starting directory server
  [7/41]: adding default schema
  [8/41]: enabling memberof plugin
  [9/41]: enabling winsync plugin
  [10/41]: configuring replication version plugin
  [11/41]: enabling IPA enrollment plugin
  [12/41]: configuring uniqueness plugin
  [13/41]: configuring uuid plugin
  [14/41]: configuring modrdn plugin
  [15/41]: configuring DNS plugin
  [16/41]: enabling entryUSN plugin
  [17/41]: configuring lockout plugin
  [18/41]: configuring topology plugin
  [19/41]: creating indices
  [20/41]: enabling referential integrity plugin
  [21/41]: configuring certmap.conf
  [22/41]: configure new location for managed entries
  [23/41]: configure dirsrv ccache
  [24/41]: enabling SASL mapping fallback
  [25/41]: restarting directory server
  [26/41]: creating DS keytab
  [27/41]: setting up initial replication
Starting replication, please wait until this has completed.

Update in progress, 1 seconds elapsed
Update in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update succeeded

  [28/41]: adding sasl mappings to the directory
  [29/41]: updating schema
  [30/41]: setting Auto Member configuration
  [31/41]: enabling S4U2Proxy delegation
  [32/41]: initializing group membership
  [33/41]: adding master entry
  [34/41]: initializing domain level
  [35/41]: configuring Posix uid/gid generation
  [36/41]: adding replication acis
  [37/41]: enabling compatibility plugin
  [38/41]: activating sidgen plugin
  [39/41]: activating extdom plugin
  [40/41]: tuning directory server
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: adding URL rewriting rules
  [8/22]: configuring httpd
  [9/22]: setting up httpd keytab
  [10/22]: retrieving anonymous keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance

MARK-LWD-LOOP -- 2017-04-20 08:44:57 --
  [2/28]: exporting Dogtag certificate store pin
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: configure certmonger for renewals
  [10/28]: importing RA certificate from PKCS #12 file
  [11/28]: setting up signing cert profile
  [12/28]: setting audit signing renewal to 2 years
  [13/28]: restarting certificate server
  [14/28]: authorizing RA to modify profiles
  [15/28]: authorizing RA to manage lightweight CAs
  [16/28]: Ensure lightweight CAs container exists
  [17/28]: Ensuring backward compatibility
  [18/28]: configure certificate renewals
  [19/28]: configure Server-Cert certificate renewal
  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 'https://kvm-02-guest10.testrelm.test:8443/ca/rest/account/login': [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    cannot connect to 'https://kvm-02-guest10.testrelm.test:8443/ca/rest/account/login': [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

...
Comment 11 Martin Bašti 2017-05-02 15:38:24 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/0d406fcb784924bfe685729f3156efb8c902b947
https://pagure.io/freeipa/c/92313c9e9d37733feb79d1b1c825178f48d6c69c
ipa-4-5:
https://pagure.io/freeipa/c/32981a0f9d0ff699e3d16da8f5a37c112871ba3a
https://pagure.io/freeipa/c/9de343987e6d76d2edeba372c73c1060657aef59
Comment 13 Kaleem 2017-05-15 09:45:42 UTC 
Verified.

IPA version: ipa-server-4.5.0-11.el7.x86_64

Please find the attached file for install console output.
Comment 14 Kaleem 2017-05-15 09:46:48 UTC 
Created attachment 1278906 [details]
beaker console output for replica install
Comment 15 errata-xmlrpc 2017-08-01 09:48:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304