1624755 – Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1624755 - Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured'

Summary: Re-installing replica on the same system displays 'WARNING: cannot check if p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-03 08:31 UTC by Sudhir Menon
Modified:	2018-10-30 11:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.6.4-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 11:00:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Install logs (559.02 KB, application/x-gzip) 2018-09-03 08:40 UTC, Sudhir Menon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 11:01:37 UTC

Description Sudhir Menon 2018-09-03 08:31:19 UTC

Description of problem: Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured'

Version-Release number of selected component (if applicable):

ipa-server-4.6.4-7.el7.x86_64
sssd-1.16.2-12.el7.x86_64
httpd-2.4.6-88.el7.x86_64
pki-server-10.5.9-6.el7.noarch
389-ds-base-1.3.8.4-13.el7.x86_64
selinux-policy-3.13.1-222.el7.noarch


How reproducible: Always


Steps to Reproduce:
1. Install IPA server with integrated DNS
2. Setup replica using the below command and ensure replica is setup without any errors

#ipa-replica-install --principal admin --admin-password ***

3. Now try removing the replication and uninstall IPA replica

#ipa server-del <replica-hostname>  
#ipa-server-install --uninstall -U

5. Now try installing replica again on the same system.

#ipa-replica-install --principal admin --admin-password ***

Actual results: 

5. Although the replica is re-installed, it displays the below message on the console.

[root@replica ~]# ipa-replica-install --principal admin --admin-password ***
WARNING: cannot check if port 443 is already configured
httpd returned error when checking: Command '/usr/sbin/httpd -t -D DUMP_VHOSTS' returned non-zero exit status 1
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Expected results: Remove the warning message displayed for clean install.


Additional info: Logs attached for reference.

Comment 2 Sudhir Menon 2018-09-03 08:40:54 UTC

Created attachment 1480466 [details]
Install logs

Comment 4 Sudhir Menon 2018-09-03 09:10:03 UTC

Also happened to see ACIError in the httpd error log file on replica.

[Mon Sep 03 14:21:25.040584 2018] [core:notice] [pid 16084] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Sep 03 14:21:25.041652 2018] [suexec:notice] [pid 16084] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Sep 03 14:21:25.262211 2018] [auth_digest:notice] [pid 16084] AH01757: generating secret for digest authentication ...
[Mon Sep 03 14:21:25.263242 2018] [lbmethod_heartbeat:notice] [pid 16084] AH02282: No slotmem from mod_heartmonitor
[Mon Sep 03 14:21:25.315501 2018] [mpm_prefork:notice] [pid 16084] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon Sep 03 14:21:25.315530 2018] [core:notice] [pid 16084] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Sep 03 14:21:41.217823 2018] [:error] [pid 16094] ipa: INFO: *** PROCESS START ***
[Mon Sep 03 14:21:41.225163 2018] [:error] [pid 16095] ipa: INFO: *** PROCESS START ***
[Mon Sep 03 14:21:41.258522 2018] [:error] [pid 16093] ipa: INFO: *** PROCESS START ***
[Mon Sep 03 14:21:41.272261 2018] [:error] [pid 16092] ipa: INFO: *** PROCESS START ***
[Mon Sep 03 14:21:56.149355 2018] [auth_gssapi:error] [pid 16100] [client 10.65.206.145:48548] NO AUTH DATA Client did not send any authentication headers, referer: https://replica.thunderbird.test/ipa/xml
[Mon Sep 03 14:21:57.574717 2018] [:error] [pid 16094] ipa: INFO: [xmlserver] host/replica.thunderbird.test: cert_request(u'MIIDwTCCAqkCAQAwPjEZMBcGA1UECgwQVEhVTkRFUkJJUkQuVEVTVDEhMB8GA1UEAxMYcmVwbGljYS50aHVuZGVyYmlyZC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lu+xxxzCVW7Fmn49SaqRV7ZmLQyn9Q6tKereg/urtfyDjZ15iwdXfwBf+TLM3RjRTV1w19/kx8nx8uHtuhfPKo4MZ7h+PBYMTjvqCu8TaxSAiHnH7fsS6s6eZJQX+HjdB3otUuImJ/KQ9QuKeeGXXdPaoLgr3lI7HMqyHmsOtErBztQNPBBXTUHsE7KnWVi2k1xWDYDA0xS89EZuU4YCHdIz9/9rBk9V63ljA+y6IOpvw53HZJbSpTFjT2b6teZgSDtqV8n/cmSQ5skywh3xdILRyKqCmPnAEOHZw/pIkKoZhKKY4++cQqVXpPnbaC4KzURADEYGp79EbylNZDfUwIDAQABoIIBPDArBgkqhkiG9w0BCRQxHh4cADIAMAAxADgAMAA5ADAAMwAwADgANQAxADUANTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBkQYDVR0RAQEABIGGMIGDoDgGCisGAQQBgjcUAgOgKgwoa3JidGd0L1RIVU5ERVJCSVJELlRFU1RAVEhVTkRFUkJJUkQuVEVTVKBHBgYrBgEFAgKgPTA7oBIbEFRIVU5ERVJCSVJELlRFU1ShJTAjoAMCAQGhHDAaGwZrcmJ0Z3QbEFRIVU5ERVJCSVJELlRFU1QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUX1EclKljZpA4Wd6a3szl6evRLP4wNAYJKwYBBAGCNxQCAQEABCQeIgBLAEQAQwBzAF8AUABLAEkATgBJAFQAXwBDAGUAcgB0AHMwDQYJKoZIhvcNAQELBQADggEBAAgQYUDfJCwVDiXpm1axvIWMsrGopZkD0SNJEdfRgEnemWJGpPnbHU7GoD3yhDxMgF65aRwY9phDuQlAJmh58nHiEEz0ZSKf+xFzWoLwgCgMQuTYSKLhlTkwfaEsVwGVmJsRKIpLNRvAvk8F+irGrSkRnaqRt/U7AycJZ29Xoh1NHKrylqoxYmO8ZdlAgfiWtjTd2QC+iqlJKYP/+dPHkJkBWMMpbXtRnMxXDIeq/obK6hpoqYEtHukCxrKZx8lnDyvdC6VwkbLtAcPjn6QMaJGxnLHbB0yGPSYhfrUfmZ/EjlKBDwuzHgXfPTjqCtePzMGAqpJJs1k83jd4w8KPc0Y=', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/THUNDERBIRD.TEST', add=True, version=u'2.51'): ACIError

Comment 5 Rob Crittenden 2018-09-04 12:16:17 UTC

The failure is due to this:

2018-09-03T07:49:33Z DEBUG stderr=httpd: Syntax error on line 353 of /etc/httpd/conf/httpd.conf: Syntax error on line 214 of /etc/httpd/conf.d/nss.conf: Could not open configuration file /etc/httpd/conf.d/ipa-rewrite.conf: No such file or directory

Comment 6 Florence Blanc-Renaud 2018-09-04 16:57:52 UTC

It seems that the uninstaller does not remove the following line from the file /etc/httpd/conf.d/ssl.conf:
Include /etc/httpd/conf.d/ipa-rewrite.conf

Currently investigating why this happens...

Comment 7 Florence Blanc-Renaud 2018-09-05 13:43:08 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7684

Comment 8 Petr Vobornik 2018-09-05 16:22:58 UTC

In case it would help somebody:  IPA uninstaller does not operate on content of nss.conf file from a perspective of removing lines.

It simply takes a backup file which installers created from /var/lib/ipa/sysrestore And replaces the nss.conf file. So if this file was wrong then it will be also wrong after uninstallation. A possible cause could be e.g. partially failed uninstallation in some of the previous installs especially if the machine is reused. 

E.g.:

# ls -1 /var/lib/ipa/sysrestore/
00bf45388a3b3de1-krb5kdc
03731651955e5e52-nss.conf
2501fbc16617b5c7-kdc.conf
8b9fb3583ff50195-named
917ef8bbd10d92ca-dirsrv
928f6a6e07d599ae-ntp.conf
ac2222a37a9c84dd-krb5.conf
b62b2a8ced1eec2d-hosts
ecd213292a48cc31-ntpd
efd7b28a7ff14c8d-dirsrv
fa9d034c0727715f-resolv.conf
fd3286c1e94d6417-named.conf
sysrestore.index
sysrestore.state

# cat sysrestore.index 
[files]
917ef8bbd10d92ca-dirsrv = 33188,0,0,/etc/sysconfig/dirsrv
efd7b28a7ff14c8d-dirsrv = 33188,0,0,/etc/sysconfig/dirsrv
fa9d034c0727715f-resolv.conf = 33188,0,0,/etc/resolv.conf
fd3286c1e94d6417-named.conf = 33184,0,25,/etc/named.conf
00bf45388a3b3de1-krb5kdc = 33188,0,0,/etc/sysconfig/krb5kdc
03731651955e5e52-nss.conf = 33188,0,0,/etc/httpd/conf.d/nss.conf
8b9fb3583ff50195-named = 33188,0,0,/etc/sysconfig/named
2501fbc16617b5c7-kdc.conf = 33152,0,0,/var/kerberos/krb5kdc/kdc.conf
b62b2a8ced1eec2d-hosts = 33188,0,0,/etc/hosts
ac2222a37a9c84dd-krb5.conf = 33188,0,0,/etc/krb5.conf

So for investigation, it might be good to know what is the content of the file.

Comment 9 Christian Heimes 2018-09-06 15:34:05 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/6ad11d86d881880a4e7ada7932c2e0401dc2cda7
https://pagure.io/freeipa/c/b2ce20c6a7c8c046911d13b9ba5b73f9d5046a27

Comment 10 Florence Blanc-Renaud 2018-09-07 12:16:26 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/61661babc22ddcdef40b7ac47f69780189dd8e2b
https://pagure.io/freeipa/c/1f1b63f71337f724c415c93fdbc84d446807fbd1

ipa-4-7:
https://pagure.io/freeipa/c/e09a3e8ab456f258eef25fe936656b49f15a79e9
https://pagure.io/freeipa/c/cca3531e6ae425121611a862855adfab532989cd

Comment 11 Florence Blanc-Renaud 2018-09-07 12:30:29 UTC

Automation available in test_integration/test_uninstallation.py::TestUninstallBase::test_install_uninstall_replica

Comment 13 Nikhil Dehadrai 2018-09-20 08:21:06 UTC

Version: ipa-server-4.6.4-10.el7.x86_64

Verified the bug on the basis of following steps/  observations:
1. Install IPA server with integrated DNS
2. Setup replica against this IPA Master and ensure replica is setup without any errors
3. Now try removing the replication and uninstall IPA replica

# (ON MASTER)  ipa server-del <replica-hostname>  
# (ON REPLICA) ipa-server-install --uninstall -U

5. Now try installing replica again on the same system.

#ipa-replica-install --principal admin --admin-password ***

Actual results: 
------------------
1. After step5, Replica installation is successful
2. No 'ACIError' noticed under /var/log/httpd/error_log as mentioned in comment#4



Console output Replica:
---------------------------
[root@auto-hv-01-guest01 ~]# rpm -q ipa-server
ipa-server-4.6.4-10.el7.x86_64
[root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log
2018-09-19T16:10:51Z INFO The ipa-replica-install command was successful
[root@auto-hv-01-guest01 ~]# ipa-server-install --uninstall -U
Updating DNS system records
ipaserver.dns_data_management: ERROR    unable to resolve host name auto-hv-01-guest01.testrelm.test. to IP address, ipa-ca DNS record will be incomplete
-----------------------------------------------------
Deleted IPA server "auto-hv-01-guest01.testrelm.test"
-----------------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful

[root@auto-hv-01-guest01 ~]# ipa-replica-install --principal admin --admin-password Secret123

Done.
Finalize replication settings
Restarting the KDC
 
WARNING: The CA service is only installed on one server (auto-hv-02-guest03.testrelm.test).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
 
[root@auto-hv-01-guest01 ~]# echo $?
0
[root@auto-hv-01-guest01 ~]# tail -1 /var/log/ipareplica-install.log
2018-09-20T07:23:52Z INFO The ipa-replica-install command was successful
[root@auto-hv-01-guest01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest01 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest01 ~]# kinit admin
Password for admin:
kinit: Password incorrect while getting initial credentials
[root@auto-hv-01-guest01 ~]# kinit admin
Password for admin:
[root@auto-hv-01-guest01 ~]#
[root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "ACIError"
[root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "acierror"
[root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "aci"
[root@auto-hv-01-guest01 ~]# cat /var/log/httpd/error_log | grep "ACI"
[root@auto-hv-01-guest01 ~]#

Thus on the basis of above observations marking the status of bug to 'VERIFIED'.

Comment 16 errata-xmlrpc 2018-10-30 11:00:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.