[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
Alexander Bokovoy via FreeIPA-users writes: > I think you can remove _() in local handler() function in > _ensure_last_of_role(): > > else: > raise errors.ServerRemovalError(reason=_(msg)) > > Looks like all the callers give already gettext-enabled message (wrapped > with _() already). > > Can you submit a pull request with that? Please have a look at https://github.com/freeipa/freeipa/pull/6097 Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
Hello Alexander, Alexander Bokovoy via FreeIPA-users writes: > On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote: >> >>Hi, >> >>I tried removing a replica and got an internal error: >> >>jochen@freeipa1:~$ ipa server-del freeipa4.example.org >>Removing freeipa4.example.org from replication topology, please wait... >>ipa: ERROR: Ein interner Fehler ist aufgetreten >> ... >>] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext >>] tmsg = self._catalog.get(message, missing) >>] TypeError: unhashable type: 'Gettext' >>] ipa: INFO: [jsonserver_session] ad...@example.org: >> server_del/1(['freeipa4.example.org'], version='2.245'): >> InternalError > I think you can remove _() in local handler() function in > _ensure_last_of_role(): > > else: > raise errors.ServerRemovalError(reason=_(msg)) > > Looks like all the callers give already gettext-enabled message (wrapped > with _() already). > > Can you submit a pull request with that? That seems to work. I'll prepare a pull request. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: locale de_DE.UTF-8 and internel error
On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote: Hi, I tried removing a replica and got an internal error: jochen@freeipa1:~$ ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Ein interner Fehler ist aufgetreten I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be ok. In the httpd error_log: ] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext' ] Traceback (most recent call last): ] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute ] result = command(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__ ] return self.__do_call(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call ] ret = self.run(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run ] return self.execute(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute ] delete_entry(pkey) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry ] dn = callback(self, ldap, dn, *nkeys, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback ] self._ensure_last_of_role( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 520, in _ensure_last_of_role ] handler( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler ] raise errors.ServerRemovalError(reason=_(msg)) ] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__ ] messages.process_message_arguments(self, format, message, **kw) ] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments ] kw[key] = unicode(value) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__ ] return unicode(self.as_unicode()) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode ] return t.gettext(self.msg) ] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext ] tmsg = self._catalog.get(message, missing) ] TypeError: unhashable type: 'Gettext' ] ipa: INFO: [jsonserver_session] ad...@example.org: server_del/1(['freeipa4.example.org'], version='2.245'): InternalError Other commands like "ipa server-role-find --server=freeipa4.example.org" work ok and display translated messaged. Any ideas? I think you can remove _() in local handler() function in _ensure_last_of_role(): else: raise errors.ServerRemovalError(reason=_(msg)) Looks like all the callers give already gettext-enabled message (wrapped with _() already). Can you submit a pull request with that? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] locale de_DE.UTF-8 and internel error
Hi, I tried removing a replica and got an internal error: jochen@freeipa1:~$ ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Ein interner Fehler ist aufgetreten I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be ok. In the httpd error_log: ] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext' ] Traceback (most recent call last): ] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute ] result = command(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__ ] return self.__do_call(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call ] ret = self.run(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run ] return self.execute(*args, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute ] delete_entry(pkey) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry ] dn = callback(self, ldap, dn, *nkeys, **options) ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback ] self._ensure_last_of_role( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 520, in _ensure_last_of_role ] handler( ] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler ] raise errors.ServerRemovalError(reason=_(msg)) ] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__ ] messages.process_message_arguments(self, format, message, **kw) ] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments ] kw[key] = unicode(value) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__ ] return unicode(self.as_unicode()) ] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode ] return t.gettext(self.msg) ] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext ] tmsg = self._catalog.get(message, missing) ] TypeError: unhashable type: 'Gettext' ] ipa: INFO: [jsonserver_session] ad...@example.org: server_del/1(['freeipa4.example.org'], version='2.245'): InternalError Other commands like "ipa server-role-find --server=freeipa4.example.org" work ok and display translated messaged. Any ideas? Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Deleting this server is not allowed as it would leave your installation without a KRA.
Hi,
I'm about to decomission one of my IPA replicas running on up to date
fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal
master (freeipa1.example.org) I try to remove freeipa4.example.org:
[root@freeipa1 ~]# ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Server removal aborted: Deleting this server is not allowed as it
would leave your installation without a KRA..
I think the message is wrong:
[root@freeipa1 ~]# ipa server-role-find --role="KRA server" --status=enabled
--
4 server roles matched
--
Server name: freeipa1.example.org
Role name: KRA server
Role status: enabled
Server name: freeipa2.example.org
Role name: KRA server
Role status: enabled
Server name: freeipa3.example.org
Role name: KRA server
Role status: enabled
Server name: freeipa4.example.org
Role name: KRA server
Role status: enabled
Number of entries returned 4
I had a took at plugins/server.py:
509 if self.api.Command.ca_is_enabled()['result']:
510 try:
511 roles = self.api.Command.server_role_find(
512 server_server=hostname,
=> Do we really need to search for the hostname here? We will
always find out that there is only one server left... When I remove
that parameter deletion would continue - but I didn't really run the
rest of the deletion yet.
ipa server-role-find --server=freeipa4.example.org --role="KRA server"
really returns one entry.
513 role_servrole='KRA server',
514 status='enabled',
515 include_master=True,
516 )['result']
517 except errors.NotFound:
518 roles = ()
519 if len(roles) == 1 and roles[0]['server_server'] == hostname:
520 handler(
521 _("Deleting this server is not allowed as it would "
522 "leave your installation without a KRA."),
523 ignore_last_of_role)
The commit that added the code was
https://github.com/freeipa/freeipa/commit/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96
and should fix https://pagure.io/freeipa/issue/8397
Do I miss something else?
Jochen
--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-healthcheck mentions/complains about a non-existent master - ?
Hi,
you are probably hitting issue https://github.com/dogtagpki/pki/issues/3608
/ https://pagure.io/freeipa/issue/8582
The healthcheck tool is using the 'subsystemCert cert-pki-ca' cert from
/var/lib/pki/pki-tomcat/alias/ to authenticate to pki and find the kra key,
but it seems that this is not enough to allow access to the key.
On Thu, Nov 18, 2021 at 10:11 PM lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
>
> On 17/11/2021 15:23, Rob Crittenden wrote:
> > lejeczek via FreeIPA-users wrote:
> >>
> >> On 16/11/2021 23:06, Rob Crittenden wrote:
> >>> lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> A domain seemingly healthy except for this one 'weir' thing:
>
> -> $ ipa-healthcheck
> keyctl_search: Required key not available
> Enter password for Internal Key Storage Token:
> Internal server error HTTPSConnectionPool(host='sucker.priv.mine',
> port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3
> (Caused by
> NewConnectionError(' at 0x7f888355c278>: Failed to establish a new connection: [Errno 111]
> Connection refused',))
> ...
>
> This master has not been part of the domain for long time and does not
> appear anywhere else in the tools - how to safely 'clean it up'?
> >>> IPA wasn't cleaning up the security domain in the CA. The CA added a
> >>> healthcheck to test all of them, hence the error.
> >>>
> >>> Instructions for manual removal are at the end of
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1740702
> >>>
> >>> rob
> >>>
> >> Thanks for that, it helped.
> >> May I ask also - same 'ipa-healthcheck' is not happy of:
> >>
> >> -> $ ipa-healthcheck
> >> keyctl_search: Required key not available
> >> Enter password for Internal Key Storage Token:
> >> Internal error testing KRA clone. KRA clone problem detected Host:
> >> love.priv.mine Port: 443
> >> [
> >>{
> >> "source": "pki.server.healthcheck.clones.connectivity_and_data",
> >> "check": "ClonesConnectivyAndDataCheck",
> >> "result": "ERROR",
> >> "uuid": "6e940ba0-0adb-44cd-b033-d8a6ae04f171",
> >> "when": "2027101614Z",
> >> "duration": "9.653949",
> >> "kw": {
> >>"status": "ERROR: pki-tomcat : Internal error testing KRA clone.
> >> Host: love.priv.mine Port: 443"
> >> }
> >>},
> >>{
> >> "source": "ipahealthcheck.ipa.certs",
> >> "check": "IPACertmongerExpirationCheck",
> >> "result": "ERROR",
> >> "uuid": "3bf0864d-6c9c-4a1e-a92a-78820ca73284",
> >> "when": "2027101616Z",
> >> "duration": "0.061626",
> >> "kw": {
> >>"key": "2025172801",
> >>"msg": "certmonger request id {key} does not have a
> >> not-valid-after date, assuming it has not been issued yet."
> >> }
> >>},
> >>
> >> a) that master was remove in orderly manner, then reinstalled, yet IPA
> >> still thinks it's a KRA? (no KRA there)
> >> b) I'm not sure about that at all
> > The KRA is the same issue as before, just a different service. You can
> > use the pki command to clean it up.
> I wonder if there is more to it than what I thought...
> 'role' shows that that master should be 'kra', on the master
> in question:
>
> -> $ ipa-healthcheck
> Internal error testing KRA clone. 'NoneType' object has no
> attribute 'config'
> [
>{
> "source":
> "pki.server.healthcheck.clones.connectivity_and_data",
> "check": "ClonesConnectivyAndDataCheck",
> "result": "ERROR",
> "uuid": "7cd9f4c7-8436-4daa-a37f-5c4176f26124",
> "when": "2028205801Z",
> "duration": "1.040107",
> "kw": {
>"status": "ERROR: pki-tomcat : Internal error
> testing KRA clone. Host: love.ccnr.ceb.private.cam.ac.uk
> Port: 443"
> }
>}
> ]
>
> pki-tomcat log shows:
> "POST /ca/rest/certs/search?size=3 HTTP/1.1" 200 2008
>
> Something wrong with ldap here?
>
> many thanks, L.
>
> > You'd need to run: getcert list -i 2025172801 to know what is going
> > on with this certificate. I'm guessing it is a failed request.
> >
> > rob
> >
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
