Bug 1449189

Summary: ipa-kra-install timeouts on replica
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Abhijeet Kasurde <akasurde>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dkupka, jcholast, ksiddiqu, mbabinsk, mbasti, pvoborni, pvomacka, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-18.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:50:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1457106    
Bug Blocks:    
Attachments:
Description Flags
console.log none

Description Petr Vobornik 2017-05-09 11:52:19 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6934

ipa-kra-install fails on a replica

To reproduce:
install ipa server with CA
run ipa-kra-install on the ipa server
create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca
run ipa-kra-install on the replica

Output of ipa-kra-install on the replica:

    $ sudo ipa-kra-install
    Directory Manager password: 
    
    
    ===================================================================
    This program will setup Dogtag KRA for the FreeIPA Server.
    
    
    Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    Timed out trying to obtain keys.
    The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Content of ipaserver-kra-install.log:

    2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com'
    2017-05-05T14:34:30Z ERROR
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    2017-05-05T14:34:30Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run
        kra.install(api, config, self.options)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install
        replica_config.dirman_password)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys
        self.__wait_keys(ca_host)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys
        raise RuntimeError("Timed out trying to obtain keys.")
    
    2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)

Regression linked to Commit 1f9f84a

Comment 2 Petr Vobornik 2017-05-09 11:52:33 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6934

Comment 3 Petr Vobornik 2017-05-09 11:54:26 UTC
Introduced by patch for bug 1438833  in ipa-4.5.0-10.el7

Comment 7 Abhijeet Kasurde 2017-05-31 08:31:41 UTC
Unable to install KRA on replica due to BZ#1457106. Will wait till this gets fixed.

Comment 8 Abhijeet Kasurde 2017-06-12 07:16:32 UTC
Marking BZ as FailedQA as I am able to reproduce the issue using :: ipa-4.5.0-16.el7 and SELinux Permissive and Enforcing mode.

Comment 10 David Kupka 2017-06-15 07:02:58 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7020

Comment 13 Abhijeet Kasurde 2017-06-22 06:44:58 UTC
Verified using IPA and SELinux-policy version ::
ipa-server-4.5.0-19.el7.x86_64
selinux-policy-3.13.1-164.el7.noarch


Marking BZ as verified. See attachment for console.log.

Comment 14 Abhijeet Kasurde 2017-06-22 06:45:18 UTC
Created attachment 1290517 [details]
console.log

Comment 15 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304