Red Hat Bugzilla – Bug 1435611
Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica
Last modified: 2017-08-01 05:46:16 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6757 When installing replica from a current master branch, the following series of tracebacks can be seen in certmonger journal output: ```console Mar 13 16:11:45 replica1.ipa.test systemd[1]: Started Certificate monitoring and PKI enrollment. Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7890]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7887]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7889]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7888]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7894]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 171, in get_principal raise errors.CCacheError(message=unicode(e)) CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available (default cach Mar 13 16:12:03 replica1.ipa.test dogtag-ipa-ca-renew-agent-submit[7893]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 550, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 520, in main api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 205, in create_connection principal = krb_utils.get_principal(ccache_name=ccache) ``` It may be that these messages are actually harmless since in the end the certificate requests are succesfully resolved, but it may be more helpful to catch these exceptions and log them as soft errors. Relevant software versions. ```console [root@replica1 ~]# rpm -q freeipa-server gssproxy freeipa-server-4.4.90.dev201703131430+git5758f8a-0.fc25.x86_64 gssproxy-0.7.0-1.fc25.x86_64 ```
Upstream ticket: https://pagure.io/freeipa/issue/6757
Fixed upstream master: https://pagure.io/freeipa/c/b189be12ecd1ba9efa35daf41e7e04a9362c6a5e https://pagure.io/freeipa/c/8a8558637946d7dac1d85642baaf9ba7c1be98f8 https://pagure.io/freeipa/c/ec52332229672f35af8db5aaf1ed2827a8dd5467 https://pagure.io/freeipa/c/181cb94e744c380a823b94d0d5ca088ab3dcca1c https://pagure.io/freeipa/c/3884a671cb59c360fae67884755fa5779053107a https://pagure.io/freeipa/c/a6a89e24147d8542fd09cf64e04982599b79e3cc ipa-4-5: https://pagure.io/freeipa/c/3a3cd01161b618dd6836fda7df935dd39adc117b https://pagure.io/freeipa/c/029da956be22c9e05a53c7c30e3afcb2c851ad86 https://pagure.io/freeipa/c/3317e172227fd72ad9049f7893d3018043201b3c https://pagure.io/freeipa/c/cb141b0eb3950bcae1950e6190ba3573f348b1f2 https://pagure.io/freeipa/c/1a7db624857c46a2c1c091ed4b8d7902a4486596 https://pagure.io/freeipa/c/e9168e80ddb6066114f9438fa6a7a11b0eaa02cf
The proposed fixes (specifically https://pagure.io/freeipa/c/181cb94e744c380a823b94d0d5ca088ab3dcca1c) break server installation with external CA.
Fixed upstream master: https://pagure.io/freeipa/c/25a33ce8b1c77b0d957772143affd7085757bccb ipa-4-5: https://pagure.io/freeipa/c/2144eaf25ef1148c9353dfb2680f8811fd8c21aa
Created attachment 1284054 [details] Verification "Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304