Bug 1449189 - ipa-kra-install timeouts on replica
Summary: ipa-kra-install timeouts on replica
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On: 1457106
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 11:52 UTC by Petr Vobornik
Modified: 2017-08-01 09:50 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-18.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)
console.log (22.25 KB, text/plain)
2017-06-22 06:45 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-09 11:52:19 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6934

ipa-kra-install fails on a replica

To reproduce:
install ipa server with CA
run ipa-kra-install on the ipa server
create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca
run ipa-kra-install on the replica

Output of ipa-kra-install on the replica:

    $ sudo ipa-kra-install
    Directory Manager password: 
    
    
    ===================================================================
    This program will setup Dogtag KRA for the FreeIPA Server.
    
    
    Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    Timed out trying to obtain keys.
    The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Content of ipaserver-kra-install.log:

    2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com'
    2017-05-05T14:34:30Z ERROR
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    2017-05-05T14:34:30Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run
        kra.install(api, config, self.options)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install
        replica_config.dirman_password)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys
        self.__wait_keys(ca_host)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys
        raise RuntimeError("Timed out trying to obtain keys.")
    
    2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)

Regression linked to Commit 1f9f84a

Comment 2 Petr Vobornik 2017-05-09 11:52:33 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6934

Comment 3 Petr Vobornik 2017-05-09 11:54:26 UTC
Introduced by patch for bug 1438833  in ipa-4.5.0-10.el7

Comment 7 Abhijeet Kasurde 2017-05-31 08:31:41 UTC
Unable to install KRA on replica due to BZ#1457106. Will wait till this gets fixed.

Comment 8 Abhijeet Kasurde 2017-06-12 07:16:32 UTC
Marking BZ as FailedQA as I am able to reproduce the issue using :: ipa-4.5.0-16.el7 and SELinux Permissive and Enforcing mode.

Comment 10 David Kupka 2017-06-15 07:02:58 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7020

Comment 13 Abhijeet Kasurde 2017-06-22 06:44:58 UTC
Verified using IPA and SELinux-policy version ::
ipa-server-4.5.0-19.el7.x86_64
selinux-policy-3.13.1-164.el7.noarch


Marking BZ as verified. See attachment for console.log.

Comment 14 Abhijeet Kasurde 2017-06-22 06:45:18 UTC
Created attachment 1290517 [details]
console.log

Comment 15 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.