Spoke too soon, though the routine reported success, in the log we have: Updating DNS system records ipapython.dnsutil: ERROR DNS query for directory1.ri.mamabosso.com. 1 failed: The DNS operation timed out after 30.0014941692 seconds ipaserver.dns_data_management: ERROR unable to resolve host name directory1.ri.XXX.com. to IP address, ipa-ca DNS record will be incomplete Configuring client side components ... Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://directory1.ri.XXX.com/ipa/session/json' Could not update DNS SSHFP records.
and then, what is in fact an error though the text is otherwise: The ipa-client-install command was successful. So, in bindinstance.py, after import time, added import psutil and just before system_records = IPASystemRecords(self.api) added while psutil.cpu_percent() > 5: time.sleep(2) and .. that didn't work. Same error. Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records ipapython.dnsutil: ERROR DNS query for directory1.ri.xxxx.com. 1 failed: The DNS operation timed out after 30.000576973 seconds ipaserver.dns_data_management: ERROR unable to resolve host name directory1.ri.xxx.com. to IP address, ipa-ca DNS record will be incomplete Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: directory1.ri.xxx.com Realm: RI.XXXX.COM DNS Domain: ri.xxxx.com IPA Server: directory1.ri.xxxx.com BaseDN: dc=ri,dc=xxxxxxx,dc=com Skipping attempt to configure and synchronize time with chrony server as it has been already done on master. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://directory1.ri.xxx.com/ipa/json [try 1]: Forwarding 'ping' to json server 'https://directory1.ri.xxxx.com/ipa/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://directory1.ri.xxxx.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://directory1.ri.xxxx.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1627371 Title: Timing problems with FreeIPA installation Status in dogtag-pki package in Ubuntu: Confirmed Status in freeipa package in Ubuntu: Confirmed Bug description: While installing FreeIPA I came accross two situations that turned out to be timing problems. In both cases, the installation procedure was attempting to access the certificate server immediately after a restart, and the server was not listening. The first one is at step 10 of "Configuring certificate server (pki_tomcatd)": [10/28]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused The second is at step 25: [25/28]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported. My solution was to add a delay at the top of the functions for those steps. def __import_ca_chain(self): + ##====================== + # Add wait time to allow certificate server to start up + # + time.sleep(10) chain = self.__get_ca_chain() ... def migrate_profiles_to_ldap(): """Migrate profiles from filesystem to LDAP. This must be run *after* switching to the LDAPProfileSubsystem and restarting the CA. The profile might already exist, e.g. if a replica was already upgraded, so this case is ignored. """ + ##====================== + # Add wait time to allow certificate server to start up + # + time.sleep(20) ensure_ldap_profiles_container() It might be necessary to adjust the sleep time. These bugs are intermittent and they may not appear at all. In my case, one KVM machine had no problems whatsoever while another had problems at the "migrate profiles ..." step. Both problems showed up on one Raspberry Pi. There were also time differences between runs. So, one needs to be _very_ patient. This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1. The RaspberryPi is a pi 2B To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1627371/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp