Hi, I believe you are hitting a known issue: 2132047 <https://bugzilla.redhat.com/show_bug.cgi?id=2132047> Check hidden status for PKINIT certificate creation
The workaround is to set the replica as not hidden (ipa server-state $HOSTNAME --state=enabled), re-run ipa-pkinit-manage enable on the replica, then re-hide the replica with ipa server-state $HOSTNAME --state=hidden. HTH, flo On Fri, Nov 18, 2022 at 4:34 AM Grant Janssen via FreeIPA-users < [email protected]> wrote: > Building a radius server, and decided this was an ideal application for a > hidden replica. > I got some errors in the replica install, and the consistency check does > not show a ghost replica (but does show my radius host in Replication > Status.) > I run external DNS, this radius host has only has A and PTR records. > > grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install > --setup-ca --hidden-replica > Password for [email protected]: ************* > > WARNING: 376 existing users or groups do not have a SID identifier > assigned. > Installer can run a task to have ipa-sidgen Directory Server plugin > generate > the SID identifier for all these users. Please note, in case of a high > number of users and groups, the operation might lead to high replication > traffic and performance degradation. Refer to ipa-adtrust-install(1) man > page > for details. > > Do you want to run the ipa-sidgen task? [no]: no > Run connection check to master > Connection check OK > -snip- > [28/30]: importing IPA certificate profiles > Lookup failed: Preferred host radius01.production.efilm.com does not > provide CA. > Lookup failed: Preferred host radius01.production.efilm.com does not > provide CA. > Failed to import profile 'acmeIPAServerCert': Request failed with status > 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade > when installation is completed may resolve this issue. > [29/30]: configuring certmonger renewal for lightweight CAs > [30/30]: deploying ACME service > Done configuring certificate server (pki-tomcatd). > Configuring Kerberos KDC (krb5kdc) > [1/1]: installing X509 Certificate for PKINIT > PKINIT certificate request failed: Certificate issuance failed > (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json > failed request, will retry: 903 (an internal error has occurred).) > Failed to configure PKINIT > Full PKINIT configuration did not succeed > The setup will only install bits essential to the server functionality > You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' > Done configuring Kerberos KDC (krb5kdc). > Applying LDAP updates > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > -snip- > [7/7]: adding fallback group > Fallback group already set, nothing to do > Done. > The ipa-replica-install command was successful > grant@radius01:~[20221117-13:51][#90]$ > > > check consistency > > grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d > PRODUCTION.EFILM.COM -W ************* > FreeIPA servers: ef-idm01 ef-idm02 ef-idm03 ef-idm04 STATE > ========================================================================= > Active Users 349 349 349 349 OK > Stage Users 7 7 7 7 OK > Preserved Users 5 5 5 5 OK > User Groups 42 42 42 42 OK > Hosts 423 423 423 423 OK > Host Groups 23 23 23 23 OK > HBAC Rules 9 9 9 9 OK > SUDO Rules 35 35 35 35 OK > DNS Zones ERROR ERROR ERROR ERROR OK > LDAP Conflicts NO NO NO NO OK > Ghost Replicas NO NO NO NO OK > Anonymous BIND YES YES YES YES OK > Replication Status ef-idm02 0 ef-idm03 0 ef-idm02 0 ef-idm01 0 > ef-idm03 0 ef-idm01 0 ef-idm01 0 > ef-idm04 0 > radius01 0 > ========================================================================= > grant@radius01:~[20221117-13:53][#93]$ > > > I executed ipa-server-upgrade as suggested > > grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade > [sudo] password for grant: > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/11]: stopping directory server > [2/11]: saving configuration > [3/11]: disabling listeners > [4/11]: enabling DS global lock > [5/11]: disabling Schema Compat > [6/11]: starting directory server > [7/11]: updating schema > [8/11]: upgrading server > Add failure attribute "cn" not allowed > [9/11]: stopping directory server > [10/11]: restoring configuration > [11/11]: starting directory server > Done. > Update complete > Upgrading IPA services > -snip- > Migrating profile 'caAuditSigningCert' > [Ensuring presence of included profiles] > [Add default CA ACL] > [Updating ACME configuration] > [Migrating to authselect profile] > [Create systemd-user hbac service and rule] > hbac service systemd-user already exists > [Add [email protected] alias to admin account] > Added '[email protected]' alias to admin account > [Setup SPAKE] > [Setup PKINIT] > [Enable server krb5.conf snippet] > [Setup kpasswd_server] > [Adding ipa-ca alias to HTTP certificate] > Resubmitting HTTP cert tracking request > The IPA services were upgraded > The ipa-server-upgrade command was successful > grant@radius01:~[20221117-16:11][#89]$ ipa_check_consistency -d > PRODUCTION.EFILM.COM -W ************* > FreeIPA servers: ef-idm01 ef-idm02 ef-idm03 ef-idm04 STATE > ========================================================================= > Active Users 349 349 349 349 OK > Stage Users 7 7 7 7 OK > Preserved Users 5 5 5 5 OK > User Groups 42 42 42 42 OK > Hosts 423 423 423 423 OK > Host Groups 23 23 23 23 OK > HBAC Rules 9 9 9 9 OK > SUDO Rules 35 35 35 35 OK > DNS Zones ERROR ERROR ERROR ERROR OK > LDAP Conflicts NO NO NO NO OK > Ghost Replicas NO NO NO NO OK > Anonymous BIND YES YES YES YES OK > Replication Status ef-idm02 0 ef-idm03 0 ef-idm02 0 ef-idm01 0 > ef-idm03 0 ef-idm01 0 ef-idm01 0 > ef-idm04 0 > radius01 0 > ========================================================================= > grant@radius01:~[20221117-16:11][#90]$ > > > My version of ipa_check_consistency > > grant@radius01:~[20221117-16:16][#93]$ grep APP_VER > /usr/local/bin/ipa_check_consistency > readonly APP_VER="17.2.21a" > printf "%s version %s\n" "$APP_NAME" "$APP_VER" > grant@radius01:~[20221117-16:16][#94]$ > > > I reviewed the installation again, then executed ipa-pkinit-manage > > grant@radius01:~[20221117-16:29][#91]$ sudo ipa-pkinit-manage status > PKINIT is disabled > The ipa-pkinit-manage command was successful > grant@radius01:~[20221117-16:29][#92]$ sudo ipa-pkinit-manage enable > Configuring Kerberos KDC (krb5kdc) > [1/1]: installing X509 Certificate for PKINIT > PKINIT certificate request failed: Certificate issuance failed > (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json > denied our request, giving up: 2100 (Insufficient access: Host ' > radius01.production.efilm.com' is not an active KDC).) > Failed to configure PKINIT > Full PKINIT configuration did not succeed > The setup will only install bits essential to the server functionality > You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' > Done configuring Kerberos KDC (krb5kdc). > The ipa-pkinit-manage command was successful > grant@radius01:~[20221117-16:30][#93]$ > > > Are SRV records REQUIRED for PKINIT to succeed? > > thanx > > - grant > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
