After your suggestion i didn't get CA_REJECT error but i got following error. ( [error] INVALID_CREDENTIALS: {'desc': 'Invalid credentials'})
[root@ldap-b-3 ~]# ipa-replica-install -N -w XXXXX -U ipaserver.install.installutils: ERROR Unable to resolve the IP address 10.31.1.24 to a host name, check /etc/hosts and DNS name resolution Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: enabling ldapi [3/41]: configure autobind for root [4/41]: stopping directory server [5/41]: updating configuration in dse.ldif [6/41]: starting directory server [7/41]: adding default schema [8/41]: enabling memberof plugin [9/41]: enabling winsync plugin [10/41]: configuring replication version plugin [11/41]: enabling IPA enrollment plugin [12/41]: configuring uniqueness plugin [13/41]: configuring uuid plugin [14/41]: configuring modrdn plugin [15/41]: configuring DNS plugin [16/41]: enabling entryUSN plugin [17/41]: configuring lockout plugin [18/41]: configuring topology plugin [19/41]: creating indices [20/41]: enabling referential integrity plugin [21/41]: configuring certmap.conf [22/41]: configure new location for managed entries [23/41]: configure dirsrv ccache [24/41]: enabling SASL mapping fallback [25/41]: restarting directory server [26/41]: creating DS keytab [27/41]: ignore time skew for initial replication [28/41]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 9 seconds elapsed Update succeeded [29/41]: prevent time skew after initial replication [30/41]: adding sasl mappings to the directory [31/41]: updating schema [32/41]: setting Auto Member configuration [33/41]: enabling S4U2Proxy delegation [34/41]: initializing group membership [35/41]: adding master entry [36/41]: initializing domain level [37/41]: configuring Posix uid/gid generation [38/41]: adding replication acis [39/41]: activating sidgen plugin [40/41]: activating extdom plugin [41/41]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [error] INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR {'desc': 'Invalid credentials'} ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information On Wed, Sep 18, 2019 at 11:33 AM Satish Patel <satish....@gmail.com> wrote: > > Interesting, > > You are saying edit that line and restart httpd and try to create new > replica? I wonder how it was working 8 months ago then? anyway i am > going to do that and let you know. > > also i would like to mention one more thing, i brought my (primary > LDAP + CA Master) after 8 month do you think it need to reinitialize > before doing anything or we are ok here? > > On Wed, Sep 18, 2019 at 11:25 AM Rob Crittenden <rcrit...@redhat.com> wrote: > > > > Satish Patel wrote: > > > Thanks Rob, > > > > > > This is the output of ldap-ca-master > > > > > > # matches for CA REST API > > > <LocationMatch > > > "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/admin/kraconnector/remove"> > > > NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate > > > NSSVerifyClient optional > > > ProxyPassMatch ajp://localhost:8009 > > > ProxyPassReverse ajp://localhost:8009 > > > </LocationMatch> > > > > It is missing some URLs. Change this to: > > > > <LocationMatch > > "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search"> > > > > And restart httpd. > > > > rob > > > > > > /var/log/httpd/access_log > > > > > > 10.32.1.60 - host/ldap-b-3.example....@example.com > > > [16/Sep/2019:12:01:17 -0400] "POST /ipa/xml HTTP/1.1" 200 316 > > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET > > > https://ldap-ca-master.example.com:443/ca/rest/account/login HTTP/1.1" > > > 200 218 > > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET > > > https://ldap-ca-master.example.com:443/ca/rest/authorities/42a9fffc-199d-4935-9d0f-5d826b4f2ad9/cert > > > HTTP/1.1" 200 905 > > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET > > > https://ldap-ca-master.example.com:443/ca/rest/account/logout > > > HTTP/1.1" 204 - > > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "POST > > > https://ldap-ca-master.example.com:443/ca/rest/certrequests?issuer-id=42a9fffc-199d-4935-9d0f-5d826b4f2ad9 > > > HTTP/1.1" 404 218 > > > 10.32.1.60 - - [16/Sep/2019:12:01:32 -0400] "POST /ipa/xml HTTP/1.1" 401 > > > 1474 > > > 10.32.1.60 - host/ldap-b-3.example....@example.com > > > [16/Sep/2019:12:01:32 -0400] "POST /ipa/xml HTTP/1.1" 200 316 > > > 10.31.1.24 - - [16/Sep/2019:12:01:47 -0400] "GET > > > https://ldap-ca-master.example.com:443/ca/rest/account/login HTTP/1.1" > > > 200 218 > > > 10.31.1.24 - - [16/Sep/2019:12:01:47 -0400] "GET > > > https://ldap-ca-master.example.com:443/ca/rest/authorities/42a9fffc-199d-4935-9d0f-5d826b4f2ad9/cert > > > HTTP/1.1" 200 905 > > > > > > > > > [root@ldap-ca-master conf.d]# ipa-replica-manage list -v `hostname` > > > Directory Manager password: > > > ldap-b-1.example.com: replica > > > last init status: None > > > last init ended: 1970-01-01 00:00:00+00:00 > > > last update status: Error (0) Replica acquired successfully: > > > Incremental update succeeded > > > last update ended: 2019-09-17 22:13:04+00:00 > > > > > > > > > [root@ldap-b-1 conf.d]# ipa-replica-manage list -v `hostname` > > > Directory Manager password: > > > ldap-ca-master.example.com: replica > > > last init status: None > > > last init ended: 1970-01-01 00:00:00+00:00 > > > last update status: Error (18) Replication error acquiring replica: > > > Incremental update transient error. Backing off, will retry update > > > later. (transient error) > > > last update ended: 1970-01-01 00:00:00+00:00 > > > ldap-b-2.example.com: replica > > > last init status: None > > > last init ended: 1970-01-01 00:00:00+00:00 > > > last update status: Error (15) Replication error acquiring replica: > > > Changelog database error was encountered (changelog error) > > > last update ended: 1970-01-01 00:00:00+00:00 > > > ldap-b-3.example.com: replica > > > last init status: 0 Total update succeeded > > > last init ended: 2019-09-16 15:56:54+00:00 > > > last update status: Error (3) Replication error acquiring replica: > > > Unable to acquire replica: permission denied. The bind dn does not > > > have permission to supply replication updates to the replica. Will > > > retry later. (permission denied) > > > last update ended: 2019-09-16 15:56:55+00:00 > > > > > > > > > [root@ldap-b-2 ~]# ipa-replica-manage list -v `hostname` > > > Directory Manager password: > > > ldap-b-1.example.com: replica > > > last init status: None > > > last init ended: 1970-01-01 00:00:00+00:00 > > > last update status: Error (0) Replica acquired successfully: > > > Incremental update succeeded > > > last update ended: 2019-09-17 22:32:26+00:00 > > > > > > ldap-b-3.example.com i am trying to add in cluster throwing error for > > > CA_REJECT. > > > > > > Let me know if you need more data or log? > > > > > > On Tue, Sep 17, 2019 at 1:55 PM Rob Crittenden <rcrit...@redhat.com> > > > wrote: > > >> > > >> Satish Patel via FreeIPA-users wrote: > > >>> Folks, > > >>> > > >>> Stay with me while i explain my issue because its little complex, We > > >>> had 2 working ldap running in datacenter-A for many months and life > > >>> was good. > > >>> > > >>> Last year company decided to shutdown datacenter-A and migrate > > >>> everything from there to new datacenter-B. > > >>> > > >>> This is what i did for migration, I have created two new LDAP server > > >>> in Datacenter-B and run create replica from Datacenter-A ( but my bad > > >>> luck we forgot to do --setup-ca option which create CA replica) In > > >>> short we have no CA running in new datacenter-B > > >>> > > >>> Fun part start now. so finally few months back we shutdown > > >>> datacenter-A and archived all data (LDAP was running in VMware so we > > >>> archived vmdk), after 8 month we found our LDAP server running under > > >>> load so we decided to create more replica and we found we have no CA > > >>> master so we can't create replica. Damn it. > > >>> > > >>> We dig into datacenter-A archived and start ldap-ca-master start on > > >>> new IP address we gave it same DNS name so it won't create any issue, > > >>> when i start ldap-ca-master it started throwing error that some certs > > >>> expired blah..blah.. so finally i renew them and this LDAP looks good > > >>> now CA is also running. > > >>> > > >>> Hostname: > > >>> > > >>> ldap-ca-master (This is old datacenter LDAP with CA, awakened few days > > >>> ago) > > >>> ldap-b-1 (new datacenter LDAP without CA) > > >>> ldap-b-2 (new datacenter LDAP without CA) > > >>> > > >>> Now i am trying to create new ldap-b-3 in new datacenter using > > >>> ldap-b-1 as my master to create new replica and somehow i am getting > > >>> following error > > >>> > > >>> > > >>> RuntimeError: Certificate issuance failed (CA_REJECTED: Server at > > >>> https://ldap-b-1.example.com/ipa/xml failed request, will retry: 4035 > > >>> (RPC failed at server. Request failed with status 404: Non-2xx > > >>> response from CA REST API: 404. ).) > > >>> Installation failed. Rolling back changes. > > >>> Unenrolling client from IPA server > > >>> Unenrolling host failed: RPC failed at server. invalid 'hostname': An > > >>> IPA master host cannot be deleted or disabled > > >>> > > >>> Question: > > >>> > > >>> 1. My all other ldap running 4.5.x but new replica is on 4.6 not sure > > >>> that is the issue here or not? > > >>> > > >>> 2. I can see ldap-ca-master node isn't fully sync with ldap-b-1 and > > >>> ldap-b-2 because i brought that machine in life after 8 month (do you > > >>> think i should do force sync ldap-ca-master to sync with ldap-b-1 ?) > > >>> > > >>> 3. Should i use ldap-ca-master to create replica or i can pick any > > >>> node to create replica? > > >>> > > >>> What are the options i have here to troubleshoot this issue? > > >> > > >> Look in /etc/httpd/conf.d/ipa-pki-proxy.conf for a section like: > > >> > > >> <LocationMatch "^/ca/rest/account/login|... > > >> > > >> Show us the full contents. > > >> > > >> See what URL is being requested in /var/log/httpd/access_log > > >> > > >> ipa-replica-manage list -v `hostname` on all the masters will show you > > >> the current status. > > >> > > >> rob > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org