Hello, I am on CentOS 7.3.1611 running FreeIPA Version 4.4.0
I have the master installed and running: :; sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful I am trying to deploy a replica, it makes it through most of the tasks, then bombs out at the end. The system is listed in freeipa as an ipaserver/relica. But the process itself never starts on the replica. The deploy fails with the following errors 2017-09-07T19:31:04Z DEBUG stderr= 2017-09-07T19:31:04Z DEBUG Destroyed connection context.ldap2_106994896 2017-09-07T19:31:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-09-07T19:31:04Z DEBUG Configuring ipa-custodia 2017-09-07T19:31:04Z DEBUG [1/5]: Generating ipa-custodia config file 2017-09-07T19:31:04Z DEBUG duration: 0 seconds 2017-09-07T19:31:04Z DEBUG [2/5]: Generating ipa-custodia keys 2017-09-07T19:31:04Z DEBUG duration: 0 seconds 2017-09-07T19:31:04Z DEBUG [3/5]: Importing RA Key 2017-09-07T19:31:04Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) HTTPError: 404 Client Error: Not Found 2017-09-07T19:31:04Z DEBUG [error] HTTPError: 404 Client Error: Not Found 2017-09-07T19:31:04Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1478, in promote custodia.create_replica(config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 95, in create_replica realm=self.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 581, in create_instance self.start_creation("Configuring %s" % self.service_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) 2017-09-07T19:31:04Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found 2017-09-07T19:31:04Z ERROR 404 Client Error: Not Found 2017-09-07T19:31:04Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information I "kinit admin" and try to run "curl --negotiate -u: https://`hostname`/ipa/keys/ -vv" I get the initial 401, followed by a 403. < HTTP/1.1 403 Forbidden < Date: Fri, 08 Sep 2017 17:55:18 GMT < Server: Custodia/0.1 < WWW-Authenticate: Negotiate <key_blob> < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Content-Type: text/html; charset=UTF-8 < Transfer-Encoding: chunked < <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 403. <p>Message: Forbidden. <p>Error code explanation: 403 = Request forbidden -- authorization will not help. </body> * Closing connection 0 The httpd gateway seems to work correctly but something is broken in the ipa-custodia response. I appreciate any thoughts/help! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org