Hi,

I believe you are hitting a known issue:
2132047 <https://bugzilla.redhat.com/show_bug.cgi?id=2132047> Check hidden
status for PKINIT certificate creation

The workaround is to set the replica as not hidden (ipa server-state
$HOSTNAME --state=enabled), re-run ipa-pkinit-manage enable on the replica,
then re-hide the replica with ipa server-state $HOSTNAME --state=hidden.
HTH,
flo

On Fri, Nov 18, 2022 at 4:34 AM Grant Janssen via FreeIPA-users <
[email protected]> wrote:

> Building a radius server, and decided this was an ideal application for a
> hidden replica.
> I got some errors in the replica install, and the consistency check does
> not show a ghost replica (but does show my radius host in Replication
> Status.)
> I run external DNS, this radius host has only has A and PTR records.
>
> grant@radius01:~[20221117-13:45][#89]$ sudo ipa-replica-install
> --setup-ca --hidden-replica
> Password for [email protected]: *************
>
> WARNING: 376 existing users or groups do not have a SID identifier
> assigned.
> Installer can run a task to have ipa-sidgen Directory Server plugin
> generate
> the SID identifier for all these users. Please note, in case of a high
> number of users and groups, the operation might lead to high replication
> traffic and performance degradation. Refer to ipa-adtrust-install(1) man
> page
> for details.
>
> Do you want to run the ipa-sidgen task? [no]: no
> Run connection check to master
> Connection check OK
> -snip-
>   [28/30]: importing IPA certificate profiles
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Lookup failed: Preferred host radius01.production.efilm.com does not
> provide CA.
> Failed to import profile 'acmeIPAServerCert': Request failed with status
> 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade
> when installation is completed may resolve this issue.
>   [29/30]: configuring certmonger renewal for lightweight CAs
>   [30/30]: deploying ACME service
> Done configuring certificate server (pki-tomcatd).
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> PKINIT certificate request failed: Certificate issuance failed
> (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json
> failed request, will retry: 903 (an internal error has occurred).)
> Failed to configure PKINIT
> Full PKINIT configuration did not succeed
> The setup will only install bits essential to the server functionality
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
> Done configuring Kerberos KDC (krb5kdc).
> Applying LDAP updates
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
> -snip-
>   [7/7]: adding fallback group
> Fallback group already set, nothing to do
> Done.
> The ipa-replica-install command was successful
> grant@radius01:~[20221117-13:51][#90]$
>
>
> check consistency
>
> grant@radius01:~[20221117-13:53][#92]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM -W *************
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04    STATE
> =========================================================================
> Active Users        349         349         349         349         OK
> Stage Users         7           7           7           7           OK
> Preserved Users     5           5           5           5           OK
> User Groups         42          42          42          42          OK
> Hosts               423         423         423         423         OK
> Host Groups         23          23          23          23          OK
> HBAC Rules          9           9           9           9           OK
> SUDO Rules          35          35          35          35          OK
> DNS Zones           ERROR       ERROR       ERROR       ERROR       OK
> LDAP Conflicts      NO          NO          NO          NO          OK
> Ghost Replicas      NO          NO          NO          NO          OK
> Anonymous BIND      YES         YES         YES         YES         OK
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
>                     ef-idm03 0  ef-idm01 0  ef-idm01 0
>                     ef-idm04 0
>                     radius01 0
> =========================================================================
> grant@radius01:~[20221117-13:53][#93]$
>
>
> I executed ipa-server-upgrade as suggested
>
> grant@radius01:~[20221117-16:09][#88]$ sudo ipa-server-upgrade
> [sudo] password for grant:
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/11]: stopping directory server
>   [2/11]: saving configuration
>   [3/11]: disabling listeners
>   [4/11]: enabling DS global lock
>   [5/11]: disabling Schema Compat
>   [6/11]: starting directory server
>   [7/11]: updating schema
>   [8/11]: upgrading server
> Add failure attribute "cn" not allowed
>   [9/11]: stopping directory server
>   [10/11]: restoring configuration
>   [11/11]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> -snip-
> Migrating profile 'caAuditSigningCert'
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> [Updating ACME configuration]
> [Migrating to authselect profile]
> [Create systemd-user hbac service and rule]
> hbac service systemd-user already exists
> [Add [email protected] alias to admin account]
> Added '[email protected]' alias to admin account
> [Setup SPAKE]
> [Setup PKINIT]
> [Enable server krb5.conf snippet]
> [Setup kpasswd_server]
> [Adding ipa-ca alias to HTTP certificate]
> Resubmitting HTTP cert tracking request
> The IPA services were upgraded
> The ipa-server-upgrade command was successful
> grant@radius01:~[20221117-16:11][#89]$ ipa_check_consistency -d
> PRODUCTION.EFILM.COM -W *************
> FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04    STATE
> =========================================================================
> Active Users        349         349         349         349         OK
> Stage Users         7           7           7           7           OK
> Preserved Users     5           5           5           5           OK
> User Groups         42          42          42          42          OK
> Hosts               423         423         423         423         OK
> Host Groups         23          23          23          23          OK
> HBAC Rules          9           9           9           9           OK
> SUDO Rules          35          35          35          35          OK
> DNS Zones           ERROR       ERROR       ERROR       ERROR       OK
> LDAP Conflicts      NO          NO          NO          NO          OK
> Ghost Replicas      NO          NO          NO          NO          OK
> Anonymous BIND      YES         YES         YES         YES         OK
> Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0
>                     ef-idm03 0  ef-idm01 0  ef-idm01 0
>                     ef-idm04 0
>                     radius01 0
> =========================================================================
> grant@radius01:~[20221117-16:11][#90]$
>
>
> My version of ipa_check_consistency
>
> grant@radius01:~[20221117-16:16][#93]$ grep APP_VER
> /usr/local/bin/ipa_check_consistency
> readonly APP_VER="17.2.21a"
>   printf "%s version %s\n" "$APP_NAME" "$APP_VER"
> grant@radius01:~[20221117-16:16][#94]$
>
>
> I reviewed the installation again, then executed ipa-pkinit-manage
>
> grant@radius01:~[20221117-16:29][#91]$ sudo ipa-pkinit-manage status
> PKINIT is disabled
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221117-16:29][#92]$ sudo ipa-pkinit-manage enable
> Configuring Kerberos KDC (krb5kdc)
>   [1/1]: installing X509 Certificate for PKINIT
> PKINIT certificate request failed: Certificate issuance failed
> (CA_REJECTED: Server at https://ef-idm01.production.efilm.com/ipa/json
> denied our request, giving up: 2100 (Insufficient access: Host '
> radius01.production.efilm.com' is not an active KDC).)
> Failed to configure PKINIT
> Full PKINIT configuration did not succeed
> The setup will only install bits essential to the server functionality
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
> Done configuring Kerberos KDC (krb5kdc).
> The ipa-pkinit-manage command was successful
> grant@radius01:~[20221117-16:30][#93]$
>
>
> Are SRV records REQUIRED for PKINIT to succeed?
>
> thanx
>
> - grant
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to