1442815 – Replica install fails during migration from older IPA master

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1442815 - Replica install fails during migration from older IPA master

Summary: Replica install fails during migration from older IPA master

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-17 16:27 UTC by Kaleem
Modified:	2017-08-01 09:48 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.5.0-10.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:48:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
rhel69 master pki debug (751.68 KB, text/plain) 2017-04-17 16:27 UTC, Kaleem	no flags	Details
rhel74 replica pki debug (215.68 KB, text/plain) 2017-04-17 16:28 UTC, Kaleem	no flags	Details
beaker console output for replica install (11.48 KB, text/plain) 2017-05-15 09:46 UTC, Kaleem	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Kaleem 2017-04-17 16:27:00 UTC

Created attachment 1272108 [details]
rhel69 master pki debug

Description of problem:
During Replica install on RHEL-7.4 from RHEL-6.9 master, pki instance creation fails with following error message.

------------------------------
  [10/28]: importing RA certificate from PKCS #12 file
  [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Command '/usr/bin/openssl pkcs12 -in /tmp/tmpmNC1Eiipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin pass:' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@hp-dl380pgen8-02-vm-7 ~]#

------------------------------

Version-Release number of selected component (if applicable):
6.9 master
-----------
[root@kvm-guest-03 ~]# rpm -q pki-ca ipa-server
pki-ca-9.0.3-53.el6.noarch
ipa-server-3.0.0-51.el6.x86_64
[root@kvm-guest-03 ~]# 

7.4 replica
------------
[root@hp-dl380pgen8-02-vm-7 ~]# rpm -q ipa-server pki-ca selinux-policy
ipa-server-4.5.0-6.el7.x86_64
pki-ca-10.4.1-1.el7.noarch
selinux-policy-3.13.1-142.el7.noarch
[root@hp-dl380pgen8-02-vm-7 ~]#
[root@hp-dl380pgen8-02-vm-7 ~]# getenforce 
Permissive
[root@hp-dl380pgen8-02-vm-7 ~]# cat /var/log/audit/audit.log |audit2allow 
#============= gssproxy_t ==============
allow gssproxy_t self:capability dac_override;
#============= tomcat_t ==============
allow tomcat_t user_tmp_t:file open;
[root@hp-dl380pgen8-02-vm-7 ~]# 


How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-6.9 master
2. Preate replica gpg for RHEL-7.4 replica
3. Install replica on RHEL-7.4 using gpg file from step 2

Actual results:
Replica install fails

Expected results:
Replica install should be successful

Additional info:
Please find the attached pki debug log from Master and Replica

Comment 2 Kaleem 2017-04-17 16:28:17 UTC

Created attachment 1272109 [details]
rhel74 replica pki debug

Comment 3 Endi Sukma Dewata 2017-04-17 17:24:58 UTC

The failure is actually happening in IPA in CAInstance.import_ra_cert(). I'm moving this ticket to IPA.

Comment 5 Standa Laznicka 2017-04-19 10:26:58 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6878

Comment 6 Jan Cholasta 2017-04-19 12:37:32 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/6f0a622d83ee22ce712a380d1701cb1f383689e4
ipa-4-5:
https://pagure.io/freeipa/c/3f70baf2a4811e3eee341aee6da99dfa80c092e6

Comment 8 Kaleem 2017-04-24 07:14:18 UTC

:: [ 08:42:40 ] ::   ipa-server-4.5.0-7.el7.x86_64
..
.....
:: [  BEGIN   ] :: Running ' /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=10.16.36.29 -w xxxxxxxxx -p xxxxxxxxx /opt/rhqa_ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.test.gpg'
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: enabling ldapi
  [3/41]: configure autobind for root
  [4/41]: stopping directory server
  [5/41]: updating configuration in dse.ldif
  [6/41]: starting directory server
  [7/41]: adding default schema
  [8/41]: enabling memberof plugin
  [9/41]: enabling winsync plugin
  [10/41]: configuring replication version plugin
  [11/41]: enabling IPA enrollment plugin
  [12/41]: configuring uniqueness plugin
  [13/41]: configuring uuid plugin
  [14/41]: configuring modrdn plugin
  [15/41]: configuring DNS plugin
  [16/41]: enabling entryUSN plugin
  [17/41]: configuring lockout plugin
  [18/41]: configuring topology plugin
  [19/41]: creating indices
  [20/41]: enabling referential integrity plugin
  [21/41]: configuring certmap.conf
  [22/41]: configure new location for managed entries
  [23/41]: configure dirsrv ccache
  [24/41]: enabling SASL mapping fallback
  [25/41]: restarting directory server
  [26/41]: creating DS keytab
  [27/41]: setting up initial replication
Starting replication, please wait until this has completed.

Update in progress, 1 seconds elapsed
Update in progress, 2 seconds elapsed
Update in progress, 3 seconds elapsed
Update succeeded

  [28/41]: adding sasl mappings to the directory
  [29/41]: updating schema
  [30/41]: setting Auto Member configuration
  [31/41]: enabling S4U2Proxy delegation
  [32/41]: initializing group membership
  [33/41]: adding master entry
  [34/41]: initializing domain level
  [35/41]: configuring Posix uid/gid generation
  [36/41]: adding replication acis
  [37/41]: enabling compatibility plugin
  [38/41]: activating sidgen plugin
  [39/41]: activating extdom plugin
  [40/41]: tuning directory server
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: adding URL rewriting rules
  [8/22]: configuring httpd
  [9/22]: setting up httpd keytab
  [10/22]: retrieving anonymous keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: importing CA certificates from LDAP
  [15/22]: publish CA cert
  [16/22]: clean up any existing httpd ccaches
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance

MARK-LWD-LOOP -- 2017-04-20 08:44:57 --
  [2/28]: exporting Dogtag certificate store pin
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: configure certmonger for renewals
  [10/28]: importing RA certificate from PKCS #12 file
  [11/28]: setting up signing cert profile
  [12/28]: setting audit signing renewal to 2 years
  [13/28]: restarting certificate server
  [14/28]: authorizing RA to modify profiles
  [15/28]: authorizing RA to manage lightweight CAs
  [16/28]: Ensure lightweight CAs container exists
  [17/28]: Ensuring backward compatibility
  [18/28]: configure certificate renewals
  [19/28]: configure Server-Cert certificate renewal
  [20/28]: Configure HTTP to proxy connections
  [21/28]: restarting certificate server
  [22/28]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to 'https://kvm-02-guest10.testrelm.test:8443/ca/rest/account/login': [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    cannot connect to 'https://kvm-02-guest10.testrelm.test:8443/ca/rest/account/login': [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

...

Comment 11 Martin Bašti 2017-05-02 15:38:24 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/0d406fcb784924bfe685729f3156efb8c902b947
https://pagure.io/freeipa/c/92313c9e9d37733feb79d1b1c825178f48d6c69c
ipa-4-5:
https://pagure.io/freeipa/c/32981a0f9d0ff699e3d16da8f5a37c112871ba3a
https://pagure.io/freeipa/c/9de343987e6d76d2edeba372c73c1060657aef59

Comment 13 Kaleem 2017-05-15 09:45:42 UTC

Verified.

IPA version: ipa-server-4.5.0-11.el7.x86_64

Please find the attached file for install console output.

Comment 14 Kaleem 2017-05-15 09:46:48 UTC

Created attachment 1278906 [details]
beaker console output for replica install

Comment 15 errata-xmlrpc 2017-08-01 09:48:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.