Bug 1624755
Summary: | Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured' | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.6 | CC: | cheimes, frenaud, ksiddiqu, lmiksik, ndehadra, pvoborni, rcritten, tscherf | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.6.4-9.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 11:00:22 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Sudhir Menon
2018-09-03 08:31:19 UTC
Created attachment 1480466 [details]
Install logs
Also happened to see ACIError in the httpd error log file on replica. [Mon Sep 03 14:21:25.040584 2018] [core:notice] [pid 16084] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Mon Sep 03 14:21:25.041652 2018] [suexec:notice] [pid 16084] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Sep 03 14:21:25.262211 2018] [auth_digest:notice] [pid 16084] AH01757: generating secret for digest authentication ... [Mon Sep 03 14:21:25.263242 2018] [lbmethod_heartbeat:notice] [pid 16084] AH02282: No slotmem from mod_heartmonitor [Mon Sep 03 14:21:25.315501 2018] [mpm_prefork:notice] [pid 16084] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Mon Sep 03 14:21:25.315530 2018] [core:notice] [pid 16084] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Mon Sep 03 14:21:41.217823 2018] [:error] [pid 16094] ipa: INFO: *** PROCESS START *** [Mon Sep 03 14:21:41.225163 2018] [:error] [pid 16095] ipa: INFO: *** PROCESS START *** [Mon Sep 03 14:21:41.258522 2018] [:error] [pid 16093] ipa: INFO: *** PROCESS START *** [Mon Sep 03 14:21:41.272261 2018] [:error] [pid 16092] ipa: INFO: *** PROCESS START *** [Mon Sep 03 14:21:56.149355 2018] [auth_gssapi:error] [pid 16100] [client 10.65.206.145:48548] NO AUTH DATA Client did not send any authentication headers, referer: https://replica.thunderbird.test/ipa/xml [Mon Sep 03 14:21:57.574717 2018] [:error] [pid 16094] ipa: INFO: [xmlserver] host/replica.thunderbird.test: cert_request(u'MIIDwTCCAqkCAQAwPjEZMBcGA1UECgwQVEhVTkRFUkJJUkQuVEVTVDEhMB8GA1UEAxMYcmVwbGljYS50aHVuZGVyYmlyZC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lu+xxxzCVW7Fmn49SaqRV7ZmLQyn9Q6tKereg/urtfyDjZ15iwdXfwBf+TLM3RjRTV1w19/kx8nx8uHtuhfPKo4MZ7h+PBYMTjvqCu8TaxSAiHnH7fsS6s6eZJQX+HjdB3otUuImJ/KQ9QuKeeGXXdPaoLgr3lI7HMqyHmsOtErBztQNPBBXTUHsE7KnWVi2k1xWDYDA0xS89EZuU4YCHdIz9/9rBk9V63ljA+y6IOpvw53HZJbSpTFjT2b6teZgSDtqV8n/cmSQ5skywh3xdILRyKqCmPnAEOHZw/pIkKoZhKKY4++cQqVXpPnbaC4KzURADEYGp79EbylNZDfUwIDAQABoIIBPDArBgkqhkiG9w0BCRQxHh4cADIAMAAxADgAMAA5ADAAMwAwADgANQAxADUANTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBkQYDVR0RAQEABIGGMIGDoDgGCisGAQQBgjcUAgOgKgwoa3JidGd0L1RIVU5ERVJCSVJELlRFU1RAVEhVTkRFUkJJUkQuVEVTVKBHBgYrBgEFAgKgPTA7oBIbEFRIVU5ERVJCSVJELlRFU1ShJTAjoAMCAQGhHDAaGwZrcmJ0Z3QbEFRIVU5ERVJCSVJELlRFU1QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUX1EclKljZpA4Wd6a3szl6evRLP4wNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAAgQYUDfJCwVDiXpm1axvIWMsrGopZkD0SNJEdfRgEnemWJGpPnbHU7GoD3yhDxMgF65aRwY9phDuQlAJmh58nHiEEz0ZSKf+xFzWoLwgCgMQuTYSKLhlTkwfaEsVwGVmJsRKIpLNRvAvk8F+irGrSkRnaqRt/U7AycJZ29Xoh1NHKrylqoxYmO8ZdlAgfiWtjTd2QC+iqlJKYP/+dPHkJkBWMMpbXtRnMxXDIeq/obK6hpoqYEtHukCxrKZx8lnDyvdC6VwkbLtAcPjn6QMaJGxnLHbB0yGPSYhfrUfmZ/EjlKBDwuzHgXfPTjqCtePzMGAqpJJs1k83jd4w8KPc0Y=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/THUNDERBIRD.TEST', add=True, version=u'2.51'): ACIError The failure is due to this: 2018-09-03T07:49:33Z DEBUG stderr=httpd: Syntax error on line 353 of /etc/httpd/conf/httpd.conf: Syntax error on line 214 of /etc/httpd/conf.d/nss.conf: Could not open configuration file /etc/httpd/conf.d/ipa-rewrite.conf: No such file or directory It seems that the uninstaller does not remove the following line from the file /etc/httpd/conf.d/ssl.conf: Include /etc/httpd/conf.d/ipa-rewrite.conf Currently investigating why this happens... Upstream ticket: https://pagure.io/freeipa/issue/7684 In case it would help somebody: IPA uninstaller does not operate on content of nss.conf file from a perspective of removing lines. It simply takes a backup file which installers created from /var/lib/ipa/sysrestore And replaces the nss.conf file. So if this file was wrong then it will be also wrong after uninstallation. A possible cause could be e.g. partially failed uninstallation in some of the previous installs especially if the machine is reused. E.g.: # ls -1 /var/lib/ipa/sysrestore/ 00bf45388a3b3de1-krb5kdc 03731651955e5e52-nss.conf 2501fbc16617b5c7-kdc.conf 8b9fb3583ff50195-named 917ef8bbd10d92ca-dirsrv 928f6a6e07d599ae-ntp.conf ac2222a37a9c84dd-krb5.conf b62b2a8ced1eec2d-hosts ecd213292a48cc31-ntpd efd7b28a7ff14c8d-dirsrv fa9d034c0727715f-resolv.conf fd3286c1e94d6417-named.conf sysrestore.index sysrestore.state # cat sysrestore.index [files] 917ef8bbd10d92ca-dirsrv = 33188,0,0,/etc/sysconfig/dirsrv efd7b28a7ff14c8d-dirsrv = 33188,0,0,/etc/sysconfig/dirsrv fa9d034c0727715f-resolv.conf = 33188,0,0,/etc/resolv.conf fd3286c1e94d6417-named.conf = 33184,0,25,/etc/named.conf 00bf45388a3b3de1-krb5kdc = 33188,0,0,/etc/sysconfig/krb5kdc 03731651955e5e52-nss.conf = 33188,0,0,/etc/httpd/conf.d/nss.conf 8b9fb3583ff50195-named = 33188,0,0,/etc/sysconfig/named 2501fbc16617b5c7-kdc.conf = 33152,0,0,/var/kerberos/krb5kdc/kdc.conf b62b2a8ced1eec2d-hosts = 33188,0,0,/etc/hosts ac2222a37a9c84dd-krb5.conf = 33188,0,0,/etc/krb5.conf So for investigation, it might be good to know what is the content of the file. Fixed upstream master: https://pagure.io/freeipa/c/6ad11d86d881880a4e7ada7932c2e0401dc2cda7 https://pagure.io/freeipa/c/b2ce20c6a7c8c046911d13b9ba5b73f9d5046a27 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/61661babc22ddcdef40b7ac47f69780189dd8e2b https://pagure.io/freeipa/c/1f1b63f71337f724c415c93fdbc84d446807fbd1 ipa-4-7: https://pagure.io/freeipa/c/e09a3e8ab456f258eef25fe936656b49f15a79e9 https://pagure.io/freeipa/c/cca3531e6ae425121611a862855adfab532989cd Automation available in test_integration/test_uninstallation.py::TestUninstallBase::test_install_uninstall_replica Version: ipa-server-4.6.4-10.el7.x86_64 Verified the bug on the basis of following steps/ observations: 1. Install IPA server with integrated DNS 2. Setup replica against this IPA Master and ensure replica is setup without any errors 3. Now try removing the replication and uninstall IPA replica # (ON MASTER) ipa server-del <replica-hostname> # (ON REPLICA) ipa-server-install --uninstall -U 5. Now try installing replica again on the same system. #ipa-replica-install --principal admin --admin-password *** Actual results: ------------------ 1. After step5, Replica installation is successful 2. No 'ACIError' noticed under /var/log/httpd/error_log as mentioned in comment#4 Console output Replica: --------------------------- [root@auto-hv-01-guest01 ~]# rpm -q ipa-server ipa-server-4.6.4-10.el7.x86_64 [root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log 2018-09-19T16:10:51Z INFO The ipa-replica-install command was successful [root@auto-hv-01-guest01 ~]# ipa-server-install --uninstall -U Updating DNS system records ipaserver.dns_data_management: ERROR unable to resolve host name auto-hv-01-guest01.testrelm.test. to IP address, ipa-ca DNS record will be incomplete ----------------------------------------------------- Deleted IPA server "auto-hv-01-guest01.testrelm.test" ----------------------------------------------------- Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa-otpd Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful [root@auto-hv-01-guest01 ~]# ipa-replica-install --principal admin --admin-password Secret123 Done. Finalize replication settings Restarting the KDC WARNING: The CA service is only installed on one server (auto-hv-02-guest03.testrelm.test). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. [root@auto-hv-01-guest01 ~]# echo $? 0 [root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log 2018-09-20T07:23:52Z INFO The ipa-replica-install command was successful [root@auto-hv-01-guest01 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest01 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest01 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest01 ~]# kinit admin Password for admin: kinit: Password incorrect while getting initial credentials [root@auto-hv-01-guest01 ~]# kinit admin Password for admin: [root@auto-hv-01-guest01 ~]# [root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "ACIError" [root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "acierror" [root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "aci" [root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "ACI" [root@auto-hv-01-guest01 ~]# Thus on the basis of above observations marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |