Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1449189 - ipa-kra-install timeouts on replica
ipa-kra-install timeouts on replica
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Abhijeet Kasurde
: Regression
Depends On: 1457106
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-09 07:52 EDT by Petr Vobornik
Modified: 2017-08-01 05:50 EDT (History)
9 users (show)

See Also:
Fixed In Version: ipa-4.5.0-18.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:50:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
console.log (22.25 KB, text/plain)
2017-06-22 02:45 EDT, Abhijeet Kasurde 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-05-09 07:52:19 EDT 
Cloned from upstream: https://pagure.io/freeipa/issue/6934

ipa-kra-install fails on a replica

To reproduce:
install ipa server with CA
run ipa-kra-install on the ipa server
create a replica with CA: ipa-client-install then ipa-replica-install --setup-ca
run ipa-kra-install on the replica

Output of ipa-kra-install on the replica:

    $ sudo ipa-kra-install
    Directory Manager password: 
    
    
    ===================================================================
    This program will setup Dogtag KRA for the FreeIPA Server.
    
    
    Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    Timed out trying to obtain keys.
    The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Content of ipaserver-kra-install.log:

    2017-05-05T14:29:29Z INFO Waiting up to 300 seconds to see our keys appear on host: ipaserver.domain.com
    2017-05-05T14:29:29Z DEBUG Transient error getting keys: 'Incorrect number of results (2) searching forpublic key for ipareplica.domain.com'
    2017-05-05T14:34:30Z ERROR
    Your system may be partly configured.
    If you run into issues, you may have to re-install IPA on this server.
    
    2017-05-05T14:34:30Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 207, in run
        kra.install(api, config, self.options)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/kra.py", line 93, in install
        replica_config.dirman_password)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 217, in get_kra_keys
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 156, in __get_keys
        self.__wait_keys(ca_host)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 144, in __wait_keys
        raise RuntimeError("Timed out trying to obtain keys.")
    
    2017-05-05T14:34:30Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR Timed out trying to obtain keys.
    2017-05-05T14:34:30Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


The issue happens because the code is looking for exactly one entry with cn=enc/ipareplica below cn=custodia,cn=ipa,cn=etc,dc=domain,dc=com but 2 are found (one directly below cn=custodia, and one below cn=dogtag,cn=custodia)

Regression linked to Commit 1f9f84a
Comment 2 Petr Vobornik 2017-05-09 07:52:33 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/6934
Comment 3 Petr Vobornik 2017-05-09 07:54:26 EDT 
Introduced by patch for bug 1438833  in ipa-4.5.0-10.el7
Comment 7 Abhijeet Kasurde 2017-05-31 04:31:41 EDT 
Unable to install KRA on replica due to BZ#1457106. Will wait till this gets fixed.
Comment 8 Abhijeet Kasurde 2017-06-12 03:16:32 EDT 
Marking BZ as FailedQA as I am able to reproduce the issue using :: ipa-4.5.0-16.el7 and SELinux Permissive and Enforcing mode.
Comment 10 David Kupka 2017-06-15 03:02:58 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/7020
Comment 13 Abhijeet Kasurde 2017-06-22 02:44:58 EDT 
Verified using IPA and SELinux-policy version ::
ipa-server-4.5.0-19.el7.x86_64
selinux-policy-3.13.1-164.el7.noarch


Marking BZ as verified. See attachment for console.log.
Comment 14 Abhijeet Kasurde 2017-06-22 02:45 EDT 
Created attachment 1290517 [details]
console.log
Comment 15 errata-xmlrpc 2017-08-01 05:50:15 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.