[Freeipa-users] Issue with replica promotion -- potential custodia issue

Michael Salsone via FreeIPA-users Fri, 08 Sep 2017 11:07:16 -0700

Hello,

I am on CentOS 7.3.1611 running FreeIPA Version 4.4.0


I have the master installed and running:
:; sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

I am trying to deploy a replica, it makes it through most of the tasks, then 
bombs out at the end. The system is listed in freeipa as an ipaserver/relica. 
But the process itself never starts on the replica.

The deploy fails with the following errors

2017-09-07T19:31:04Z DEBUG stderr=
2017-09-07T19:31:04Z DEBUG Destroyed connection context.ldap2_106994896
2017-09-07T19:31:04Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-09-07T19:31:04Z DEBUG Configuring ipa-custodia
2017-09-07T19:31:04Z DEBUG   [1/5]: Generating ipa-custodia config file
2017-09-07T19:31:04Z DEBUG   duration: 0 seconds
2017-09-07T19:31:04Z DEBUG   [2/5]: Generating ipa-custodia keys
2017-09-07T19:31:04Z DEBUG   duration: 0 seconds
2017-09-07T19:31:04Z DEBUG   [3/5]: Importing RA Key
2017-09-07T19:31:04Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
449, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
439, in run_step
    method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 
112, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, 
in fetch_key
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in 
raise_for_status
    raise HTTPError(http_error_msg, response=self)
HTTPError: 404 Client Error: Not Found
 
2017-09-07T19:31:04Z DEBUG   [error] HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, 
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, 
in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, 
in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, 
in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, 
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, 
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, 
in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, 
in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
    for nothing in self._installer(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1722, in main
    promote(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 372, in decorated
    func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 1478, in promote
    custodia.create_replica(config.master_host_name)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 
95, in create_replica
    realm=self.realm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
581, in create_instance
    self.start_creation("Configuring %s" % self.service_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
449, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
439, in run_step
    method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 
112, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, 
in fetch_key
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in 
raise_for_status
    raise HTTPError(http_error_msg, response=self)
 
2017-09-07T19:31:04Z DEBUG The ipa-replica-install command failed, exception: 
HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR 404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

I "kinit admin" and try to run "curl --negotiate -u: 
https://`hostname`/ipa/keys/ -vv" I get the initial 401, followed by a 403.

< HTTP/1.1 403 Forbidden
< Date: Fri, 08 Sep 2017 17:55:18 GMT
< Server: Custodia/0.1
< WWW-Authenticate: Negotiate <key_blob>
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
<
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 403.
<p>Message: Forbidden.
<p>Error code explanation: 403 = Request forbidden -- authorization will not 
help.
</body>
* Closing connection 0

The httpd gateway seems to work correctly but something is broken in the 
ipa-custodia response.

I appreciate any thoughts/help!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Issue with replica promotion -- potential custodia issue

Reply via email to