Hide Forgot
Description of problem: Similar to BZ 1358752, when ipa-ca-install is triggered on replica server which is connected to IPA master with no CA then ipa-ca-install fails with pkispawn error. CA Installation on replica should warn user about non-existence of CA on IPA master server rather than proceeding with installation. [root@ipareplica731301687 ~]# ipa server-role-find ----------------------- 12 server roles matched ----------------------- Server name: ipamaster731301687.testrelm.test Role name: CA server Role status: absent Server name: ipareplica731301687.testrelm.test Role name: CA server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: DNS server Role status: enabled Server name: ipareplica731301687.testrelm.test Role name: DNS server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: NTP server Role status: enabled Server name: ipareplica731301687.testrelm.test Role name: NTP server Role status: enabled Server name: ipamaster731301687.testrelm.test Role name: AD trust agent Role status: absent Server name: ipareplica731301687.testrelm.test Role name: AD trust agent Role status: absent Server name: ipamaster731301687.testrelm.test Role name: KRA server Role status: absent Server name: ipareplica731301687.testrelm.test Role name: KRA server Role status: absent Server name: ipamaster731301687.testrelm.test Role name: AD trust controller Role status: absent Server name: ipareplica731301687.testrelm.test Role name: AD trust controller Role status: absent ----------------------------- Number of entries returned 12 ----------------------------- [root@ipareplica731301687 ~]# ipa-ca-install Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/30]: creating certificate server user [2/30]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. Version-Release number of selected component (if applicable): ipa-server-4.4.0-5.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install ipa-server without CA 2. Install ipa replica without CA 3. Trigger IPA CA installation on IPA Replica Actual results: ipa-ca-install fails with pkispawn error. Expected results: ipa-ca-install should warn user about non-existence of CA on IPA master server.
Created attachment 1189572 [details] console.log
Created attachment 1189573 [details] ipareplica1-pki-ca-spawn.20160810073829.log
Created attachment 1189574 [details] ipareplica1-ipareplica-conncheck.log
Created attachment 1189576 [details] ipareplica1-ipaclient-install.log
Created attachment 1189577 [details] ipareplica1-ipareplica-ca-install.log
Created attachment 1189578 [details] ipareplica1-ipareplica-install.log
Created attachment 1189579 [details] ipamaster1-ipaserver-install.log
Created attachment 1189580 [details] ipamaster1-ipaclient-install.log
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6226
Bug 1358752 might cause failure later if this is fixed.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/89de60c5d8ba64d619101a7498b8c4469b6e50ae
Fix above caused different issues Reverted: master: https://fedorahosted.org/freeipa/changeset/dd02741896844a6e14d60f267d9b1cb27b039241/
The patch for this bug was reverted because of bug 1377413
Actually the patch was reverted because it caused the installer to crash, unless you hit https://fedorahosted.org/freeipa/ticket/4639 . Because of bug 1377413 the *new* patch for this bug causes the installer to crash and thus cannot be merged upstream.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6f7d982fe2e2d2f042e85710b8d8d59167e5796f Please wait for ipa-4-4 patch
Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/cdb6ffb779b7e1e563494eb3234b2441ba74d692
Removing blocking bug 1377413, code path of new fix doesn't trigger the issue.
*** Bug 1403368 has been marked as a duplicate of this bug. ***
Verified on: ipa-server-4.5.0-9.el7.x86_64 pki-ca-10.4.1-3.el7.noarch 1. Install IPA server [root@master ~]# ipa-server-install --ip-address F$(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 -U --dirsrv-cert-file=./server.p12 --http-cert-file=./server.p12 --dirsrv-pin XXX --http-pin XXX --no-pkinit 2. Install CA-less replica [root@replica ~]# ipa-client-install -U --domain testrelm.test --realm TESTRELM.TEST -p admin -w XXX --server master.testrelm.test [root@replica ~]# ipa-replica-install -U --dirsrv-cert-file=./replica.p12 --http-cert-file=./replica.p12 --dirsrv-pin XXX --http-pin XXX -P admin -w XXX --no-pkinit 3. Promote IPA replica from CA-less to CA-full [root@replica ~]# ipa-ca-install Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: exporting Dogtag certificate store pin [3/29]: stopping certificate server instance to update CS.cfg [4/29]: backing up CS.cfg [5/29]: disabling nonces [6/29]: set up CRL publishing [7/29]: enable PKIX certificate path discovery and validation [8/29]: starting certificate server instance [9/29]: configure certmonger for renewals [10/29]: requesting RA certificate from CA [11/29]: setting up signing cert profile [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: publishing the CA certificate [15/29]: adding RA agent as a trusted user [16/29]: authorizing RA to modify profiles [17/29]: authorizing RA to manage lightweight CAs [18/29]: Ensure lightweight CAs container exists [19/29]: configure certificate renewals [20/29]: configure Server-Cert certificate renewal [21/29]: Configure HTTP to proxy connections [22/29]: restarting certificate server [23/29]: updating IPA configuration [24/29]: enabling CA instance [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@master ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@replica ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304