Fedora Account System
Red Hat Associate
Red Hat Customer
In testing of the OpenSSL 4.0 update - https://bodhi.fedoraproject.org/updates/FEDORA-2026-54c7ad647e - we have found that FreeIPA replica install fails. This is a real and reproducible bug. The underlying cause seems to be some kind of hang/block/loop/whatever in httpd: the FreeIPA setup process gets stuck running pkispawn as part of certificate configuration, but pkispawn appears to be waiting for a response from httpd which it never gets. Manual reproduction steps from rcrit: [10:42 PM]Start with 2 rawhide VMs with a good amount of disk. The updates are large. [10:43 PM]On one: bodhi updates download --updateid=FEDORA-2026-54c7ad647e [10:43 PM]use createrepo_c to generate a local copr repo of the contents [10:43 PM]dnf -y update && dnf -y install freeipa-server-dns [10:43 PM]If there is a kernel update in there I update. You do you. [10:44 PM]I use hostnamectl to set the two hostnames to ipa.example.test and replica.example.test [10:44 PM]ipa-server-install -a password -p password -r EXAMPLE.TEST -U -N --setup-dns --allow-zone-overlap --no-forwarders --auto-reverse [10:45 PM]I next moved to the replica . I copied over the copr repo and set it up in a similar way. Then run the dnf cmds [10:45 PM]ipa-replica-install --server ipa.example.test --domain example.test -w password -U --skip-mem-check --setup-ca [10:45 PM]In step 7-ish of the CA install things will hang up, the CPU will go to 100% [ed note there is nothing 'COPR' here, you're just creating a local dnf repo] rcrit also got some httpd logs including an error "AH02008: SSL library error 1 in handshake (server ipa.example.test:443)" which may need investigation by jorton. We are waiving this failure and making the tests temporarily non-gating on Rawhide to get the larger OpenSSL 4 update merged, but this is a high-priority issue and should be investigated and resolved ASAP, we need to fix this and start gating on the tests again quickly. Also proposing as an F45 Beta blocker as a violation of https://fedoraproject.org/wiki/Basic_Release_Criteria#FreeIPA_server_requirements .
Not sure if an instance of the same problem, but another broken thing about FreeIPA in rawhide is simple # dnf install -y --setopt=install_weak_deps=False freeipa-server # ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 # ipa-kra-install -p Secret123 -U This will yield a 99+ % CPU looping of a java process: Tasks: 183 total, 2 running, 181 sleep, 0 d-sleep, 0 stopped, 0 zombie %Cpu(s): 44.1 us, 6.0 sy, 0.0 ni, 49.7 id, 0.0 wa, 0.2 hi, 0.0 si, 0.0 st MiB Mem : 2822.3 total, 615.9 free, 1550.7 used, 993.5 buff/cache MiB Swap: 2822.0 total, 2822.0 free, 0.0 used. 1271.5 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 10151 root 20 0 2820520 125232 33328 S 99.7 4.3 4:54.15 java 7424 pkiuser 20 0 2935480 253684 39352 S 0.3 8.8 0:22.95 java 1 root 20 0 44144 25032 12812 S 0.0 0.9 0:12.15 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd until I killed it. Observed in the FreeIPA containerization CI: https://github.com/freeipa/freeipa-container/issues/745.
From the Slack discussion, this looked like a Post-Handshake Auth issue. I was unable to reproduce any PHA issue with simple testing against a Rawhide container, using a standard mod_ssl configuration requiring per-location client certificates.