[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
Alexander Bokovoy via FreeIPA-users writes: > I think you can remove _() in local handler() function in > _ensure_last_of_role(): > > else: > raise errors.ServerRemovalError(reason=_(msg)) > > Looks like all the callers give already gettext-enabled message (wrapped > with _() already). > > Can you submit a pull request with that? Please have a look at https://github.com/freeipa/freeipa/pull/6097 Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
Hello Alexander, Alexander Bokovoy via FreeIPA-users writes: > On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote: >> >>Hi, >> >>I tried removing a replica and got an internal error: >> >>jochen@freeipa1:~$ ipa server-del freeipa4.example.org >>Removing freeipa4.example.org from replication topology, please wait... >>ipa: ERROR: Ein interner Fehler ist aufgetreten >> ... >>] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext >>] tmsg = self._catalog.get(message, missing) >>] TypeError: unhashable type: 'Gettext' >>] ipa: INFO: [jsonserver_session] ad...@example.org: >> server_del/1(['freeipa4.example.org'], version='2.245'): >> InternalError > I think you can remove _() in local handler() function in > _ensure_last_of_role(): > > else: > raise errors.ServerRemovalError(reason=_(msg)) > > Looks like all the callers give already gettext-enabled message (wrapped > with _() already). > > Can you submit a pull request with that? That seems to work. I'll prepare a pull request. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote: Hi, I tried removing a replica and got an internal error: jochen@freeipa1:~$ ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Ein interner Fehler ist aufgetreten I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be ok. In the httpd error_log: ] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext' ] Traceback (most recent call last): ] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute ] result = command(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__ ] return self.__do_call(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call ] ret = self.run(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run ] return self.execute(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute ] delete_entry(pkey) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry ] dn = callback(self, ldap, dn, *nkeys, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback ] self._ensure_last_of_role( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 520, in _ensure_last_of_role ] handler( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler ] raise errors.ServerRemovalError(reason=_(msg)) ] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__ ] messages.process_message_arguments(self, format, message, **kw) ] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments ] kw[key] = unicode(value) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__ ] return unicode(self.as_unicode()) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode ] return t.gettext(self.msg) ] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext ] tmsg = self._catalog.get(message, missing) ] TypeError: unhashable type: 'Gettext' ] ipa: INFO: [jsonserver_session] ad...@example.org: server_del/1(['freeipa4.example.org'], version='2.245'): InternalError Other commands like "ipa server-role-find --server=freeipa4.example.org" work ok and display translated messaged. Any ideas? I think you can remove _() in local handler() function in _ensure_last_of_role(): else: raise errors.ServerRemovalError(reason=_(msg)) Looks like all the callers give already gettext-enabled message (wrapped with _() already). Can you submit a pull request with that? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] locale de_DE.UTF-8 and internel error
Hi, I tried removing a replica and got an internal error: jochen@freeipa1:~$ ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Ein interner Fehler ist aufgetreten I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be ok. In the httpd error_log: ] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext' ] Traceback (most recent call last): ] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute ] result = command(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__ ] return self.__do_call(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call ] ret = self.run(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run ] return self.execute(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute ] delete_entry(pkey) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry ] dn = callback(self, ldap, dn, *nkeys, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback ] self._ensure_last_of_role( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 520, in _ensure_last_of_role ] handler( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler ] raise errors.ServerRemovalError(reason=_(msg)) ] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__ ] messages.process_message_arguments(self, format, message, **kw) ] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments ] kw[key] = unicode(value) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__ ] return unicode(self.as_unicode()) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode ] return t.gettext(self.msg) ] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext ] tmsg = self._catalog.get(message, missing) ] TypeError: unhashable type: 'Gettext' ] ipa: INFO: [jsonserver_session] ad...@example.org: server_del/1(['freeipa4.example.org'], version='2.245'): InternalError Other commands like "ipa server-role-find --server=freeipa4.example.org" work ok and display translated messaged. Any ideas? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Deleting this server is not allowed as it would leave your installation without a KRA.
Hi, I'm about to decomission one of my IPA replicas running on up to date fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal master (freeipa1.example.org) I try to remove freeipa4.example.org: [root@freeipa1 ~]# ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Server removal aborted: Deleting this server is not allowed as it would leave your installation without a KRA.. I think the message is wrong: [root@freeipa1 ~]# ipa server-role-find --role="KRA server" --status=enabled -- 4 server roles matched -- Server name: freeipa1.example.org Role name: KRA server Role status: enabled Server name: freeipa2.example.org Role name: KRA server Role status: enabled Server name: freeipa3.example.org Role name: KRA server Role status: enabled Server name: freeipa4.example.org Role name: KRA server Role status: enabled Number of entries returned 4 I had a took at plugins/server.py: 509 if self.api.Command.ca_is_enabled()['result']: 510 try: 511 roles = self.api.Command.server_role_find( 512 server_server=hostname, => Do we really need to search for the hostname here? We will always find out that there is only one server left... When I remove that parameter deletion would continue - but I didn't really run the rest of the deletion yet. ipa server-role-find --server=freeipa4.example.org --role="KRA server" really returns one entry. 513 role_servrole='KRA server', 514 status='enabled', 515 include_master=True, 516 )['result'] 517 except errors.NotFound: 518 roles = () 519 if len(roles) == 1 and roles[0]['server_server'] == hostname: 520 handler( 521 _("Deleting this server is not allowed as it would " 522 "leave your installation without a KRA."), 523 ignore_last_of_role) The commit that added the code was https://github.com/freeipa/freeipa/commit/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96 and should fix https://pagure.io/freeipa/issue/8397 Do I miss something else? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-healthcheck mentions/complains about a non-existent master - ?
Hi, you are probably hitting issue https://github.com/dogtagpki/pki/issues/3608 / https://pagure.io/freeipa/issue/8582 The healthcheck tool is using the 'subsystemCert cert-pki-ca' cert from /var/lib/pki/pki-tomcat/alias/ to authenticate to pki and find the kra key, but it seems that this is not enough to allow access to the key. On Thu, Nov 18, 2021 at 10:11 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On 17/11/2021 15:23, Rob Crittenden wrote: > > lejeczek via FreeIPA-users wrote: > >> > >> On 16/11/2021 23:06, Rob Crittenden wrote: > >>> lejeczek via FreeIPA-users wrote: > Hi guys. > > A domain seemingly healthy except for this one 'weir' thing: > > -> $ ipa-healthcheck > keyctl_search: Required key not available > Enter password for Internal Key Storage Token: > Internal server error HTTPSConnectionPool(host='sucker.priv.mine', > port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 > (Caused by > NewConnectionError(' at 0x7f888355c278>: Failed to establish a new connection: [Errno 111] > Connection refused',)) > ... > > This master has not been part of the domain for long time and does not > appear anywhere else in the tools - how to safely 'clean it up'? > >>> IPA wasn't cleaning up the security domain in the CA. The CA added a > >>> healthcheck to test all of them, hence the error. > >>> > >>> Instructions for manual removal are at the end of > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1740702 > >>> > >>> rob > >>> > >> Thanks for that, it helped. > >> May I ask also - same 'ipa-healthcheck' is not happy of: > >> > >> -> $ ipa-healthcheck > >> keyctl_search: Required key not available > >> Enter password for Internal Key Storage Token: > >> Internal error testing KRA clone. KRA clone problem detected Host: > >> love.priv.mine Port: 443 > >> [ > >>{ > >> "source": "pki.server.healthcheck.clones.connectivity_and_data", > >> "check": "ClonesConnectivyAndDataCheck", > >> "result": "ERROR", > >> "uuid": "6e940ba0-0adb-44cd-b033-d8a6ae04f171", > >> "when": "2027101614Z", > >> "duration": "9.653949", > >> "kw": { > >>"status": "ERROR: pki-tomcat : Internal error testing KRA clone. > >> Host: love.priv.mine Port: 443" > >> } > >>}, > >>{ > >> "source": "ipahealthcheck.ipa.certs", > >> "check": "IPACertmongerExpirationCheck", > >> "result": "ERROR", > >> "uuid": "3bf0864d-6c9c-4a1e-a92a-78820ca73284", > >> "when": "2027101616Z", > >> "duration": "0.061626", > >> "kw": { > >>"key": "2025172801", > >>"msg": "certmonger request id {key} does not have a > >> not-valid-after date, assuming it has not been issued yet." > >> } > >>}, > >> > >> a) that master was remove in orderly manner, then reinstalled, yet IPA > >> still thinks it's a KRA? (no KRA there) > >> b) I'm not sure about that at all > > The KRA is the same issue as before, just a different service. You can > > use the pki command to clean it up. > I wonder if there is more to it than what I thought... > 'role' shows that that master should be 'kra', on the master > in question: > > -> $ ipa-healthcheck > Internal error testing KRA clone. 'NoneType' object has no > attribute 'config' > [ >{ > "source": > "pki.server.healthcheck.clones.connectivity_and_data", > "check": "ClonesConnectivyAndDataCheck", > "result": "ERROR", > "uuid": "7cd9f4c7-8436-4daa-a37f-5c4176f26124", > "when": "2028205801Z", > "duration": "1.040107", > "kw": { >"status": "ERROR: pki-tomcat : Internal error > testing KRA clone. Host: love.ccnr.ceb.private.cam.ac.uk > Port: 443" > } >} > ] > > pki-tomcat log shows: > "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 2008 > > Something wrong with ldap here? > > many thanks, L. > > > You'd need to run: getcert list -i 2025172801 to know what is going > > on with this certificate. I'm guessing it is a failed request. > > > > rob > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: