After your suggestion i didn't get CA_REJECT error but i got following
error. ( [error] INVALID_CREDENTIALS: {'desc': 'Invalid
credentials'})
[root@ldap-b-3 ~]# ipa-replica-install -N -w XXXXX -U
ipaserver.install.installutils: ERROR Unable to resolve the IP
address 10.31.1.24 to a host name, check /etc/hosts and DNS name
resolution
Run connection check to master
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: enabling ldapi
[3/41]: configure autobind for root
[4/41]: stopping directory server
[5/41]: updating configuration in dse.ldif
[6/41]: starting directory server
[7/41]: adding default schema
[8/41]: enabling memberof plugin
[9/41]: enabling winsync plugin
[10/41]: configuring replication version plugin
[11/41]: enabling IPA enrollment plugin
[12/41]: configuring uniqueness plugin
[13/41]: configuring uuid plugin
[14/41]: configuring modrdn plugin
[15/41]: configuring DNS plugin
[16/41]: enabling entryUSN plugin
[17/41]: configuring lockout plugin
[18/41]: configuring topology plugin
[19/41]: creating indices
[20/41]: enabling referential integrity plugin
[21/41]: configuring certmap.conf
[22/41]: configure new location for managed entries
[23/41]: configure dirsrv ccache
[24/41]: enabling SASL mapping fallback
[25/41]: restarting directory server
[26/41]: creating DS keytab
[27/41]: ignore time skew for initial replication
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 9 seconds elapsed
Update succeeded
[29/41]: prevent time skew after initial replication
[30/41]: adding sasl mappings to the directory
[31/41]: updating schema
[32/41]: setting Auto Member configuration
[33/41]: enabling S4U2Proxy delegation
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[error] INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR {'desc': 'Invalid credentials'}
ipapython.admintool: ERROR The ipa-replica-install command failed.
See /var/log/ipareplica-install.log for more information
On Wed, Sep 18, 2019 at 11:33 AM Satish Patel <satish....@gmail.com> wrote:
>
> Interesting,
>
> You are saying edit that line and restart httpd and try to create new
> replica? I wonder how it was working 8 months ago then? anyway i am
> going to do that and let you know.
>
> also i would like to mention one more thing, i brought my (primary
> LDAP + CA Master) after 8 month do you think it need to reinitialize
> before doing anything or we are ok here?
>
> On Wed, Sep 18, 2019 at 11:25 AM Rob Crittenden <rcrit...@redhat.com> wrote:
> >
> > Satish Patel wrote:
> > > Thanks Rob,
> > >
> > > This is the output of ldap-ca-master
> > >
> > > # matches for CA REST API
> > > <LocationMatch
> > > "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/admin/kraconnector/remove">
> > > NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> > > NSSVerifyClient optional
> > > ProxyPassMatch ajp://localhost:8009
> > > ProxyPassReverse ajp://localhost:8009
> > > </LocationMatch>
> >
> > It is missing some URLs. Change this to:
> >
> > <LocationMatch
> > "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
> >
> > And restart httpd.
> >
> > rob
> > >
> > > /var/log/httpd/access_log
> > >
> > > 10.32.1.60 - host/ldap-b-3.example....@example.com
> > > [16/Sep/2019:12:01:17 -0400] "POST /ipa/xml HTTP/1.1" 200 316
> > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET
> > > https://ldap-ca-master.example.com:443/ca/rest/account/login HTTP/1.1"
> > > 200 218
> > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET
> > > https://ldap-ca-master.example.com:443/ca/rest/authorities/42a9fffc-199d-4935-9d0f-5d826b4f2ad9/cert
> > > HTTP/1.1" 200 905
> > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "GET
> > > https://ldap-ca-master.example.com:443/ca/rest/account/logout
> > > HTTP/1.1" 204 -
> > > 10.31.1.24 - - [16/Sep/2019:12:01:32 -0400] "POST
> > > https://ldap-ca-master.example.com:443/ca/rest/certrequests?issuer-id=42a9fffc-199d-4935-9d0f-5d826b4f2ad9
> > > HTTP/1.1" 404 218
> > > 10.32.1.60 - - [16/Sep/2019:12:01:32 -0400] "POST /ipa/xml HTTP/1.1" 401
> > > 1474
> > > 10.32.1.60 - host/ldap-b-3.example....@example.com
> > > [16/Sep/2019:12:01:32 -0400] "POST /ipa/xml HTTP/1.1" 200 316
> > > 10.31.1.24 - - [16/Sep/2019:12:01:47 -0400] "GET
> > > https://ldap-ca-master.example.com:443/ca/rest/account/login HTTP/1.1"
> > > 200 218
> > > 10.31.1.24 - - [16/Sep/2019:12:01:47 -0400] "GET
> > > https://ldap-ca-master.example.com:443/ca/rest/authorities/42a9fffc-199d-4935-9d0f-5d826b4f2ad9/cert
> > > HTTP/1.1" 200 905
> > >
> > >
> > > [root@ldap-ca-master conf.d]# ipa-replica-manage list -v `hostname`
> > > Directory Manager password:
> > > ldap-b-1.example.com: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (0) Replica acquired successfully:
> > > Incremental update succeeded
> > > last update ended: 2019-09-17 22:13:04+00:00
> > >
> > >
> > > [root@ldap-b-1 conf.d]# ipa-replica-manage list -v `hostname`
> > > Directory Manager password:
> > > ldap-ca-master.example.com: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (18) Replication error acquiring replica:
> > > Incremental update transient error. Backing off, will retry update
> > > later. (transient error)
> > > last update ended: 1970-01-01 00:00:00+00:00
> > > ldap-b-2.example.com: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (15) Replication error acquiring replica:
> > > Changelog database error was encountered (changelog error)
> > > last update ended: 1970-01-01 00:00:00+00:00
> > > ldap-b-3.example.com: replica
> > > last init status: 0 Total update succeeded
> > > last init ended: 2019-09-16 15:56:54+00:00
> > > last update status: Error (3) Replication error acquiring replica:
> > > Unable to acquire replica: permission denied. The bind dn does not
> > > have permission to supply replication updates to the replica. Will
> > > retry later. (permission denied)
> > > last update ended: 2019-09-16 15:56:55+00:00
> > >
> > >
> > > [root@ldap-b-2 ~]# ipa-replica-manage list -v `hostname`
> > > Directory Manager password:
> > > ldap-b-1.example.com: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (0) Replica acquired successfully:
> > > Incremental update succeeded
> > > last update ended: 2019-09-17 22:32:26+00:00
> > >
> > > ldap-b-3.example.com i am trying to add in cluster throwing error for
> > > CA_REJECT.
> > >
> > > Let me know if you need more data or log?
> > >
> > > On Tue, Sep 17, 2019 at 1:55 PM Rob Crittenden <rcrit...@redhat.com>
> > > wrote:
> > >>
> > >> Satish Patel via FreeIPA-users wrote:
> > >>> Folks,
> > >>>
> > >>> Stay with me while i explain my issue because its little complex, We
> > >>> had 2 working ldap running in datacenter-A for many months and life
> > >>> was good.
> > >>>
> > >>> Last year company decided to shutdown datacenter-A and migrate
> > >>> everything from there to new datacenter-B.
> > >>>
> > >>> This is what i did for migration, I have created two new LDAP server
> > >>> in Datacenter-B and run create replica from Datacenter-A ( but my bad
> > >>> luck we forgot to do --setup-ca option which create CA replica) In
> > >>> short we have no CA running in new datacenter-B
> > >>>
> > >>> Fun part start now. so finally few months back we shutdown
> > >>> datacenter-A and archived all data (LDAP was running in VMware so we
> > >>> archived vmdk), after 8 month we found our LDAP server running under
> > >>> load so we decided to create more replica and we found we have no CA
> > >>> master so we can't create replica. Damn it.
> > >>>
> > >>> We dig into datacenter-A archived and start ldap-ca-master start on
> > >>> new IP address we gave it same DNS name so it won't create any issue,
> > >>> when i start ldap-ca-master it started throwing error that some certs
> > >>> expired blah..blah.. so finally i renew them and this LDAP looks good
> > >>> now CA is also running.
> > >>>
> > >>> Hostname:
> > >>>
> > >>> ldap-ca-master (This is old datacenter LDAP with CA, awakened few days
> > >>> ago)
> > >>> ldap-b-1 (new datacenter LDAP without CA)
> > >>> ldap-b-2 (new datacenter LDAP without CA)
> > >>>
> > >>> Now i am trying to create new ldap-b-3 in new datacenter using
> > >>> ldap-b-1 as my master to create new replica and somehow i am getting
> > >>> following error
> > >>>
> > >>>
> > >>> RuntimeError: Certificate issuance failed (CA_REJECTED: Server at
> > >>> https://ldap-b-1.example.com/ipa/xml failed request, will retry: 4035
> > >>> (RPC failed at server. Request failed with status 404: Non-2xx
> > >>> response from CA REST API: 404. ).)
> > >>> Installation failed. Rolling back changes.
> > >>> Unenrolling client from IPA server
> > >>> Unenrolling host failed: RPC failed at server. invalid 'hostname': An
> > >>> IPA master host cannot be deleted or disabled
> > >>>
> > >>> Question:
> > >>>
> > >>> 1. My all other ldap running 4.5.x but new replica is on 4.6 not sure
> > >>> that is the issue here or not?
> > >>>
> > >>> 2. I can see ldap-ca-master node isn't fully sync with ldap-b-1 and
> > >>> ldap-b-2 because i brought that machine in life after 8 month (do you
> > >>> think i should do force sync ldap-ca-master to sync with ldap-b-1 ?)
> > >>>
> > >>> 3. Should i use ldap-ca-master to create replica or i can pick any
> > >>> node to create replica?
> > >>>
> > >>> What are the options i have here to troubleshoot this issue?
> > >>
> > >> Look in /etc/httpd/conf.d/ipa-pki-proxy.conf for a section like:
> > >>
> > >> <LocationMatch "^/ca/rest/account/login|...
> > >>
> > >> Show us the full contents.
> > >>
> > >> See what URL is being requested in /var/log/httpd/access_log
> > >>
> > >> ipa-replica-manage list -v `hostname` on all the masters will show you
> > >> the current status.
> > >>
> > >> rob
> >
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
