Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2025848

Summary: RHEL 8.6 IPA Replica Failed to configure PKINIT setup against a RHEL 7.9 IPA server
Product: Red Hat Enterprise Linux 7 Reporter: anuja <amore>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: frenaud, jreznik, rcritten, tapazogl, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 7.9Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.8-5.el7_9.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-16 17:54:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description anuja 2021-11-23 08:12:46 UTC 
Description of problem:
RHEL 8.6 IPA Replica Failed to configure PKINIT setup against a RHEL 7.9 IPA server 

Version-Release number of selected component (if applicable):
RHEL 7.9 Server packages:
certmonger-0.78.4-17.el7_9.x86_64
ipa-server-4.6.8-5.el7_9.9.x86_64

RHEL 8.6 replica packages:
certmonger-0.79.13-5.el8.x86_64
ipa-server-4.9.6-9.module+el8.6.0+13273+4b1dd6b2.x86_64
389-ds-base-1.4.3.28-1.module+el8.6.0+13040+7da9aab8.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Setup IPA server on a RHEL 7.9 system
2.Setup IPA replica on a RHEL 8.6 system

Actual results:

  [1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at https://replica.ipa.test/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404.  (404)).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'


Expected results:
There should be no error in PKINIT configuration.

Additional info:
Reproduced also on RHEL8.5 replica.
Comment 4 Rob Crittenden 2021-11-23 13:56:26 UTC 
The replica Apache log mirros the certmonger output:

ipa: ERROR: ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404.  (404)

So I think we need the logs from the IPA server to see what is going on. 404 suggests the remote CA is not running though tomcat is. Do we have those logs?
Comment 5 Rob Crittenden 2021-11-23 13:57:42 UTC 
To clarify, the Apache logs on the 7.9 server.
Comment 6 Florence Blanc-Renaud 2021-11-23 14:16:03 UTC 
Taking for investigation
Comment 7 Rob Crittenden 2021-11-23 14:56:57 UTC 
The 7.9 server log contains:

[Tue Nov 23 09:36:40.353935 2021] [:error] [pid 17045] ipa: ERROR: non-public: AttributeError: 'ldap2' object has no attribute 'Object'
[Tue Nov 23 09:36:40.353966 2021] [:error] [pid 17045] Traceback (most recent call last):
[Tue Nov 23 09:36:40.353968 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute
[Tue Nov 23 09:36:40.353970 2021] [:error] [pid 17045]     result = command(*args, **options)
[Tue Nov 23 09:36:40.353972 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Tue Nov 23 09:36:40.353974 2021] [:error] [pid 17045]     return self.__do_call(*args, **options)
[Tue Nov 23 09:36:40.353976 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Tue Nov 23 09:36:40.353978 2021] [:error] [pid 17045]     ret = self.run(*args, **options)
[Tue Nov 23 09:36:40.353979 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Tue Nov 23 09:36:40.353981 2021] [:error] [pid 17045]     return self.execute(*args, **options)
[Tue Nov 23 09:36:40.353983 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 863, in execute
[Tue Nov 23 09:36:40.353984 2021] [:error] [pid 17045]     ca_kdc_check(ldap, alt_principal.hostname)
[Tue Nov 23 09:36:40.353986 2021] [:error] [pid 17045]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 301, in ca_kdc_check
[Tue Nov 23 09:36:40.353988 2021] [:error] [pid 17045]     master_dn = api_instance.Object.server.get_dn(unicode(hostname))
[Tue Nov 23 09:36:40.353989 2021] [:error] [pid 17045] AttributeError: 'ldap2' object has no attribute 'Object'
[Tue Nov 23 09:36:40.354230 2021] [:error] [pid 17045] ipa: INFO: [jsonserver_kerb] host/replica1.ipa.test: cert_request(u'MIIDojCCAooCAQAwLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMTEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7WvOcTgbV4NEH8IOCMdQIbQXC7NN4pyn/6BHnP7tGRTCwEKdEFTc1fObW2OXnWFuJAiT397qWTO55Md4fR4890R+rOj9Eg4VP5uas5ox7amNfU//zY9PZbGXUcEdsSdDotr3g+rUzJcQWNbQW+X5Upld9KNFBKM1XofPUnb6c8h9S1Ryyp0KH9/ldGdf0zBu+Iax43ItY4M1I5SmI4JTdw8u3dQFoeMYe4xfywpvCJKjnxRLkkLSRX9RaPiP3k4JXJ5OdGV/VTg8T4uY3cwE+jwFLb+bnkVuZmt3JjpspLDVanHkAYFZHlzAtnrLEs7zsIQ4p8lpOuwdXi4FotDpwIDAQABoIIBLDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMQAxADIAMwAxADQAMwA2ADMANjCB/AYJKoZIhvcNAQkOMYHuMIHrMIGCBgNVHREBAQAEeDB2ghFyZXBsaWNhMS5pcGEudGVzdKAoBgorBgEEAYI3FAIDoBoMGGtyYnRndC9JUEEuVEVTVEBJUEEuVEVTVKA3BgYrBgEFAgKgLTAroAobCElQQS5URVNUoR0wG6ADAgEBoRQwEhsGa3JidGd0GwhJUEEuVEVTVDAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBSEIvuPTiSIMNaZt1S35yLeO5cIuzA0BgkrBgEEAYI3FAIBAQAEJB4iAEsARABDAHMAXwBQAEsASQBOAEkAVABfAEMAZQByAHQAczANBgkqhkiG9w0BAQsFAAOCAQEAC8HhHfb2RSd6fxf2Me9gzViUUhXj46sfuD2V+RUhVKOrhNs22G38zp22dEZtLSNSx9o7oent+zxbCafeivqz8/mDedkL3rDqV4VBx6gD8wv7tsDgEnfK4BD0qrK3WALCRLiaBVxfCudgjUbCvqUWoYWux3uJQw1HM8OpCCWJLZB+jDLUdD5eMCs/Cy7HNHVcvqv2UebIBLEDXW0NmA1rNC6sOqkMMdctIYqD3/thajAhemuL3RptuuWwOhudHfd3EpwYKHG6J7x0HDnEbYScVAWhuZnw+bqZL2Ao8IN9YpjKEVOclO3HoW5FbLY6uGDYAHdYAr7qDVSAUw8dUNVjUA==', profile_id=u'KDCs_PKINIT_Certs', principal=u'krbtgt/IPA.TEST', add=True): InternalError

This explains why the issuance failed though I'm not sure how this translates into a 404 Not Found in the HTTP response on the 8.5 side.

ipa-server-4.6.8-5.el7_9.9.x86_64
pki-ca-10.5.18-18.el7_9.noarch
389-ds-base-1.3.10.2-14.el7_9.x86_64
certmonger-0.78.4-17.el7_9.x86_64
Comment 8 Rob Crittenden 2021-11-23 14:58:11 UTC 
This bug is fixed in ipa-4-6: ad8556beff19e15fdefbbc3b7655e6b63d8e1d04

But this isn't in ipa-server-4.6.8-5.el7_9.9.x86_64
Comment 9 Florence Blanc-Renaud 2021-11-23 15:07:47 UTC 
Marking as POST since an upstream fix is available.
The upstream issue:
https://pagure.io/freeipa/issue/8686

Note that the fix needs to be done on the RHEL 7 server, hence changing the Product to RHEL 7
Comment 16 anuja 2021-12-13 08:06:41 UTC 
Verified using:
server : ipa-server-4.6.8-5.el7_9.10.x86_64
replica: ipa-server-4.9.8-1.module+el8.6.0+13485+f71eb528.x86_64

[root@replica ~]# ipa-replica-install -U --setup-ca --server master.dipa7986.test  --domain dipa7986.test --admin-password Secret123 --principal admin
Configuring client side components
This program will set up IPA client.
Version 4.9.8
..
..
..
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server

Using this no failure for PKINIT certificate request. Based on this marking bug as verified.
Attaching logs.
Comment 23 errata-xmlrpc 2021-12-16 17:54:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:5195