Bug 1438833 – [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1438833 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host

Summary:	[ipa-replica-install] - 406 Client Error: Failed to validate message: Incorre...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Nikhil Dehadrai
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1477178
	Show dependency tree / graph

Reported:	2017-04-04 09:53 EDT by Petr Vobornik
Modified:	2018-04-09 08:07 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	ipa-4.5.0-10.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1477178 (view as bug list)
Environment:
Last Closed:	2017-08-01 05:47:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 08:41:35 EDT

Groups: None (edit)

Description Petr Vobornik 2017-04-04 09:53:01 EDT

Cloned from upstream: https://pagure.io/freeipa/issue/6838

ipa-replica-install fails in test scenario with 3 replicas returning:

```text
2017-03-30T12:18:09Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host/replica1.ipa.test@IPA.TEST for url: https://master.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.st5sUjSqgZ0YUXqSrRDB0jBMnT4tZDiau13OW1Tazfmz8vQKL5ngB41qr69CN1gHy3eiWqmJPK_f8MJsBcydxw61mifpoAVS9BvPm0-OTXppc7ihrwsnAso3lYL5KU4zsNUvZw3rDLhc22gLZyYqKzLDhH-EglRjjHxtfJ5dimPjEU9HXMv310gZt-D57_K0VWZt7lv-Vkb_3fppkNeLrm7wK82RcgsE680BFGdAq6DNiG1zrXcZVV0oR1alPpa7EJHey0HaqvGIX1dzYrCD2_-z2kO-20IFC1fePpItM6fynVUFJMk_u8aRNSB3ea2WMyetJNXrbB_rRKiCEjqGEg.b7W6VA-gFQ4pPJd06kKY1w.-41PkK511sCnRZ7w_StI9iVhfc5YB4grxndI-YkbwIivJ2ZZtHDhDlMtn-FjtDITMmECUBbrtopjvWcz688fNs93JVQ4W2sxmR96ETOQolnTqN693Xot3pZt0UZMPsbdSrIR1nQRiF03TfuJeGBjs1HlnZ36VhSpP1t8u_pagTLEGoRYrRPu9jMH6-T7C74_a1aEEL5gherssIWNNEchVPGlf16U-iCrBRdu2HRijzXMdIEmB-uGiTBjMtO8WhGOXq8hKdzGfpYi9d8E67qOAC6TOnoYVpe7eyPyhtQgAiPXK_m-T8Z8Y8v3LBEYp5ezFY2eZ4KXqyneNwsw1PsDHC7Eb5x-5IJOJBarb_L8d706kjPwdFSu9L0X47w9TTAK7QxPDCJclEl-Uft2GvZrgHTZtkaF3SOOmMh-Pjv5fq4M8-_gnBTP7ClyOUJufLXvPrdD20lq0DxARmmwith11d3QJ5Lt1Bj7HuCq9-29FuQxtWpPIIRA9IVIU3pfjtdzNJwCoP0H7SyewM4-q_WcwLR92r7qSF-94gd-f9NKnNGYiecOEy1gkdoM4DIOUo2uYAtbRyrrJMrKES_s2FYRnXUBsgKRnTBjZ-4sffjd4C1X72__AxtI2_ZHjzkW54fn5UPv5MumuakLNYaCG1yGqQ.HIaJTgkRi2Ii6ZKOFidJP8ZM3IQFgjZMZZ_Xnoz8gZ4
2017-03-30T12:18:09Z ERROR 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host/replica1.ipa.test@IPA.TEST for url: https://master.ipa.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.st5sUjSqgZ0YUXqSrRDB0jBMnT4tZDiau13OW1Tazfmz8vQKL5ngB41qr69CN1gHy3eiWqmJPK_f8MJsBcydxw61mifpoAVS9BvPm0-OTXppc7ihrwsnAso3lYL5KU4zsNUvZw3rDLhc22gLZyYqKzLDhH-EglRjjHxtfJ5dimPjEU9HXMv310gZt-D57_K0VWZt7lv-Vkb_3fppkNeLrm7wK82RcgsE680BFGdAq6DNiG1zrXcZVV0oR1alPpa7EJHey0HaqvGIX1dzYrCD2_-z2kO-20IFC1fePpItM6fynVUFJMk_u8aRNSB3ea2WMyetJNXrbB_rRKiCEjqGEg.b7W6VA-gFQ4pPJd06kKY1w.-41PkK511sCnRZ7w_StI9iVhfc5YB4grxndI-YkbwIivJ2ZZtHDhDlMtn-FjtDITMmECUBbrtopjvWcz688fNs93JVQ4W2sxmR96ETOQolnTqN693Xot3pZt0UZMPsbdSrIR1nQRiF03TfuJeGBjs1HlnZ36VhSpP1t8u_pagTLEGoRYrRPu9jMH6-T7C74_a1aEEL5gherssIWNNEchVPGlf16U-iCrBRdu2HRijzXMdIEmB-uGiTBjMtO8WhGOXq8hKdzGfpYi9d8E67qOAC6TOnoYVpe7eyPyhtQgAiPXK_m-T8Z8Y8v3LBEYp5ezFY2eZ4KXqyneNwsw1PsDHC7Eb5x-5IJOJBarb_L8d706kjPwdFSu9L0X47w9TTAK7QxPDCJclEl-Uft2GvZrgHTZtkaF3SOOmMh-Pjv5fq4M8-_gnBTP7ClyOUJufLXvPrdD20lq0DxARmmwith11d3QJ5Lt1Bj7HuCq9-29FuQxtWpPIIRA9IVIU3pfjtdzNJwCoP0H7SyewM4-q_WcwLR92r7qSF-94gd-f9NKnNGYiecOEy1gkdoM4DIOUo2uYAtbRyrrJMrKES_s2FYRnXUBsgKRnTBjZ-4sffjd4C1X72__AxtI2_ZHjzkW54fn5UPv5MumuakLNYaCG1yGqQ.HIaJTgkRi2Ii6ZKOFidJP8ZM3IQFgjZMZZ_Xnoz8gZ4
```

However in LDAP everything looks fine - 2 entries * 4 machines + dogtag container. Consulted with "cheimes" and looks like a race condition. 

```text
[root@replica1 ~]# rpm -qa | egrep "custodia|freeipa"
freeipa-server-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-server-trust-ad-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
freeipa-client-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-common-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
custodia-0.3.1-1.fc25.noarch
freeipa-server-dns-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-python-compat-4.5.90.dev201703290851+git67e5244-0.fc25.noarch
freeipa-debuginfo-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
freeipa-client-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
python3-custodia-0.3.1-1.fc25.noarch
freeipa-server-4.5.90.dev201703290851+git67e5244-0.fc25.x86_64
python2-custodia-0.3.1-1.fc25.noarch
```

Comment 2 Petr Vobornik 2017-04-04 09:53:17 EDT

Upstream ticket:
https://pagure.io/freeipa/issue/6838

Comment 3 Tomas Krizek 2017-05-03 10:39:01 EDT

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/5f8d1119fe38807e86930af50d3680e28efe68eb
master:
https://pagure.io/freeipa/c/1f9f84a66d6cf9391b91ee4a13ac0f1119212578

Comment 17 Nikhil Dehadrai 2017-06-12 06:36:46 EDT

IPA: ipa-server-4.5.0-16.el7.x86_64

Tested that IPA-replica-install under race condition is successful.

I noticed that I am able to install 7 Replicas (Star TOPOLOGY) in this case and installation if IPA-Replica is successful in each case. 

Thus on the basis of above observations and comment#15 and comment#16, marking the status of bug to "VERIFIED".

Comment 18 errata-xmlrpc 2017-08-01 05:47:49 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.