[Freeipa-users] 'ipa-ca-install' conncheck failure on freeIPA

Arne Verheyden via FreeIPA-users Tue, 27 Jun 2023 08:50:59 -0700

I'm facing a problem while trying to set up a replica of our main FreeIPA 
server. We're planning to migrate from an old server to a new one. 
ipa-replica-install and ipa-dns-install runs without issue but the problem 
arises when I try to use the ipa-ca-install command. The command fails at the 
connection check phase with this output: 
$ ipa-ca-install
Directory Manager (existing master) password:


Run connection check to master

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.

Logs of /var/log/ipa-replica-conncheck.log
2023-06-27T14:25:28Z DEBUG Ports opened, notify original thread
2023-06-27T14:25:28Z DEBUG Original thread resumed
2023-06-27T14:25:28Z INFO Get credentials to log in to remote master
2023-06-27T14:25:28Z DEBUG KRB5CCNAME set to /tmp/krbcc2_1ny8e1/ccache
2023-06-27T14:25:28Z INFO Check RPC connection to remote master
2023-06-27T14:25:28Z DEBUG Starting external process
2023-06-27T14:25:28Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmp66e_2bfv', 
'-N', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt', '-@', 
'/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', '/tmp/tmp66e_2bfv']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for /tmp/tmp66e_2bfv

2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', 
'/tmp/tmp66e_2bfv/cert9.db']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for 
/tmp/tmp66e_2bfv/cert9.db

2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', 
'/tmp/tmp66e_2bfv/key4.db']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for 
/tmp/tmp66e_2bfv/key4.db

2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', 
'/tmp/tmp66e_2bfv/pkcs11.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for 
/tmp/tmp66e_2bfv/pkcs11.txt

2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/sbin/restorecon', '-F', 
'/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=Warning no default label for 
/tmp/tmp66e_2bfv/pwdfile.txt

2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG Starting external process
2023-06-27T14:25:29Z DEBUG args=['/usr/bin/certutil', '-d', 
'sql:/tmp/tmp66e_2bfv', '-A', '-n', 'CN=Certificate Authority,O=EXAMPLE.COM', 
'-t', 'C,,', '-a', '-f', '/tmp/tmp66e_2bfv/pwdfile.txt']
2023-06-27T14:25:29Z DEBUG Process finished, return code=0
2023-06-27T14:25:29Z DEBUG stdout=
2023-06-27T14:25:29Z DEBUG stderr=
2023-06-27T14:25:29Z DEBUG importing all plugin modules in 
ipaclient.remote_plugins.schema$8182589c...
2023-06-27T14:25:29Z DEBUG importing plugin module 
ipaclient.remote_plugins.schema$8182589c.plugins
2023-06-27T14:25:29Z DEBUG importing all plugin modules in ipaclient.plugins...
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automember
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.automount
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.ca
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.cert
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certmap
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.certprofile
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.dns
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbacrule
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.hbactest
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.host
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.idrange
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.internal
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.location
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.migration
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.misc
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.otptoken
2023-06-27T14:25:29Z DEBUG importing plugin module 
ipaclient.plugins.otptoken_yubikey
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.passwd
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.permission
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.rpcclient
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.server
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.service
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.sudorule
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.topology
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.trust
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.user
2023-06-27T14:25:29Z DEBUG importing plugin module ipaclient.plugins.vault
2023-06-27T14:25:30Z DEBUG failed to find session_cookie in persistent storage 
for principal 'host/replica1.example....@example.com'

2023-06-27T14:25:30Z DEBUG trying https://ipa01.example.com/ipa/json
2023-06-27T14:25:30Z DEBUG New HTTP connection (ipa01.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z INFO Connection to https://ipa01.example.com/ipa/json 
failed with Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure. Minor code may provide more information (Credential 
cache is empty)
2023-06-27T14:25:31Z DEBUG trying https://replica1.example.com/ipa/json
2023-06-27T14:25:31Z DEBUG New HTTP connection (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z DEBUG Created connection context.rpcclient_140381866522064
2023-06-27T14:25:31Z DEBUG raw: ping(version='2.251')
2023-06-27T14:25:31Z DEBUG ping(version='2.251')
2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'ping/1' to json server 
'https://replica1.example.com/ipa/json'
2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z INFO Execute check on remote master
2023-06-27T14:25:31Z DEBUG [try 1]: Forwarding 'server_conncheck' to json 
server 'https://replica1.example.com/ipa/json'
2023-06-27T14:25:31Z DEBUG HTTP connection keep-alive (replica1.example.com)
2023-06-27T14:25:31Z DEBUG [details redacted for brevity]
2023-06-27T14:25:31Z DEBUG Destroyed connection 
context.rpcclient_140381866522064
2023-06-27T14:25:31Z ERROR ERROR: Remote master check failed with following 
error message(s):
invalid 'cn': must be "replica1.example.com"

I don't know how to debug this, i have searched the web for similar issue and 
the only one i have managed to find is this one: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/OWPUGD7OLDGXMRCKWZUH6U3TJB5HZROX/
 . The problem is similar but not the same as the one i have, so it did not 
help me much.

I would greatly appreciate any suggestions or advice on how to resolve this 
problem.

Sincerely, 
Arne
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] 'ipa-ca-install' conncheck failure on freeIPA

Reply via email to