[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ I updated the patch for renewal lock with a new fix. The timeout needs to be increased, but the lock may also happen because the renewal scripts are run by certmonger during the cert request and should not (for instance for http cert the renewal script restarts httpd while the service is not completely configured). """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259803269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Turns out the request does not time out in certmonger, but the 60 seconds wait in `request_and_wait_for_cert()` it too short. """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259692618 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7462adec13c5b25b6868d2863dc38062c97d0ff7 https://fedorahosted.org/freeipa/changeset/808b1436b4158cb6f926ac2b5bd0979df6ea7e9f """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259687145 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ Thanks Fraser! The patch for renewal lock file deletion is available at https://github.com/freeipa/freeipa/pull/229 """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259678689 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ Well I couldn't wait 'til tomorrow so I checked just then. I could not reproduce the issue :) """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259675725 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates frasertweedale commented: """ @jcholast sure, especially if it is related to renewal locks or some other tangential matter. ( @flo-renaud I have not yet confirmed the cause; will get to it tomorrow ) """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259673472 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Can we fix this in a separate PR to unblock the merge of this one? """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259671468 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates flo-renaud commented: """ Hi Fraser, can you check if the renewal lock was released after the last uninstallation? The file /var/run/ipa/renewal.lock should display something like ``` cat /var/run/ipa/renewal.lock [lock] locked = 0 ``` If it is showing instead that the lock is taken, then the install will fail on timeout. I wonder whether I should clean this file at the beginning of the installation, to avoid this specific issue. """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259630260 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates
frasertweedale commented:
"""
Although there are conflicts with `master`, there are problems when the patches
are rebased. Server installation (CA-ful) fails when requesting the RA
certificate.
```
2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA
2016-11-10T04:58:02Z DEBUG Starting external process
2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs
-out /var/lib/ipa/tmpyozdnw
2016-11-10T04:58:02Z DEBUG Process finished, return code=0
2016-11-10T04:58:02Z DEBUG stdout=
2016-11-10T04:58:02Z DEBUG stderr=
2016-11-10T04:58:03Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2016-11-10T04:58:08Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:13Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:18Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:23Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:28Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:33Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:38Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:43Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:48Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:53Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:58Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:59:03Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
397, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
387, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
830, in __request_ra_certificate
post_command='renew_ra_cert')
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in
request_and_wait_for_cert
state = wait_for_request(reqId, timeout=60)
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in
wait_for_request
raise RuntimeError("request timed out")
RuntimeError: request timed out
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219
Title: #219: Refactor installer code requesting certificates
frasertweedale commented:
"""
Although there are no conflicts with `master`, there are problems when the
patches are rebased. Server installation (CA-ful) fails when requesting the RA
certificate.
```
2016-11-10T04:58:02Z DEBUG [16/30]: requesting RA certificate from CA
2016-11-10T04:58:02Z DEBUG Starting external process
2016-11-10T04:58:02Z DEBUG args=/usr/bin/openssl pkcs7 -inform DER -print_certs
-out /var/lib/ipa/tmpyozdnw
2016-11-10T04:58:02Z DEBUG Process finished, return code=0
2016-11-10T04:58:02Z DEBUG stdout=
2016-11-10T04:58:02Z DEBUG stderr=
2016-11-10T04:58:03Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2016-11-10T04:58:08Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:13Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:18Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:23Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:28Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:33Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:38Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:43Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:48Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:53Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:58:58Z DEBUG certmonger request is in state
dbus.String(u'SUBMITTING', variant_level=1)
2016-11-10T04:59:03Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
397, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
387, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
830, in __request_ra_certificate
post_command='renew_ra_cert')
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 312, in
request_and_wait_for_cert
state = wait_for_request(reqId, timeout=60)
File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 601, in
wait_for_request
raise RuntimeError("request timed out")
RuntimeError: request timed out
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/219#issuecomment-259603552
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
