1449189 – ipa-kra-install timeouts on replica

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1449189 - ipa-kra-install timeouts on replica

Summary: ipa-kra-install timeouts on replica

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Abhijeet Kasurde
Docs Contact:
URL:
Whiteboard:
Depends On:	1457106
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-09 11:52 UTC by Petr Vobornik
Modified:	2017-08-01 09:50 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.5.0-18.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:50:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
console.log (22.25 KB, text/plain) 2017-06-22 06:45 UTC, Abhijeet Kasurde	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-05-09 11:52:19 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/6934

ipa-kra-install fails on a replica

To reproduce:
install ipa server with CA
run ipa-kra-install on the ipa server
create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca
run ipa-kra-install on the replica

Output of ipa-kra-install on the replica:

    $ sudo ipa-kra-install
    Directory Manager password: 
    
    
    ===================================================================
    This program will setup Dogtag KRA for the FreeIPA Server.
    
    
    Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    Timed out trying to obtain keys.
    The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Content of ipaserver-kra-install.log:

    2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com'
    2017-05-05T14:34:30Z ERROR
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    2017-05-05T14:34:30Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run
        kra.install(api, config, self.options)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install
        replica_config.dirman_password)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys
        self.__wait_keys(ca_host)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys
        raise RuntimeError("Timed out trying to obtain keys.")
    
    2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)

Regression linked to Commit 1f9f84a

Comment 2 Petr Vobornik 2017-05-09 11:52:33 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6934

Comment 3 Petr Vobornik 2017-05-09 11:54:26 UTC

Introduced by patch for bug 1438833  in ipa-4.5.0-10.el7

Comment 5 Martin Bašti 2017-05-09 12:31:04 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/8983ce53e3fdee98926f81f3012146e33bb92d30
ipa-4-5:
https://pagure.io/freeipa/c/b90dce88e227174aa33270beee9b3d6ff51cce59

Comment 7 Abhijeet Kasurde 2017-05-31 08:31:41 UTC

Unable to install KRA on replica due to BZ#1457106. Will wait till this gets fixed.

Comment 8 Abhijeet Kasurde 2017-06-12 07:16:32 UTC

Marking BZ as FailedQA as I am able to reproduce the issue using :: ipa-4.5.0-16.el7 and SELinux Permissive and Enforcing mode.

Comment 10 David Kupka 2017-06-15 07:02:58 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7020

Comment 11 Martin Babinsky 2017-06-15 08:12:04 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/342f72140f9bd8b8db19f469ae4c56cac7492901
ipa-4-5:
https://pagure.io/freeipa/c/15076a1c2b0fb31dce3903e5f50cab9edf68ad07

Comment 13 Abhijeet Kasurde 2017-06-22 06:44:58 UTC

Verified using IPA and SELinux-policy version ::
ipa-server-4.5.0-19.el7.x86_64
selinux-policy-3.13.1-164.el7.noarch


Marking BZ as verified. See attachment for console.log.

Comment 14 Abhijeet Kasurde 2017-06-22 06:45:18 UTC

Created attachment 1290517 [details]
console.log

Comment 15 errata-xmlrpc 2017-08-01 09:50:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.