Re: [Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found
On Tue, Dec 22, 2015 at 10:06:55AM +0100, Karl Forner wrote: > Hi Fraser, > The ipa-replica-prepare ran in a adelton/freeipa-server:lastest-systemd > docker, which I think is based on fedora 23 and contains freeIPA v 4.2.3. > I can try to patch it, but I'm really not used to fedora, and moreover > there's a debian/docker bug that prevents me from building the docker image > on my computers. > > Thanks, > Karl > OK, fair enough. A couple of follow-up questions: - Is the issue always reproducible or only some of the time? - Are you running replica-prepare immediately after starting the container? Does the issue still occur after waiting a while? If you attach your /var/log/pki/pki-tomcat/ca/debug log it will help pinpoint the cause and confirm/deny whether the existing patch will fix it. Cheers, Fraser > On Tue, Dec 22, 2015 at 2:46 AM, Fraser Tweedale > wrote: > > > On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote: > > > Hello, > > > > > > Running: > > > ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v > > > fails > > > with > > > ipa: DEBUG: Protocol: TLS1.2 > > > ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA > > > ipa: DEBUG: request status 200 > > > ipa: DEBUG: request reason_phrase u'OK' > > > ipa: DEBUG: request headers {'date': 'Mon, 21 Dec 2015 12:50:59 GMT', > > > 'content-length': '148', 'content-type': 'application/xml', 'server': > > > 'Apache-Coyote/1.1'} > > > ipa: DEBUG: request body ' > > standalone="no"?>1Profile > > > caIPAserviceCert Not Found' > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > > > execute > > > > > > The context is probably unusual: > > > I run the command on a replica with CA from a server in freeipa v4.1.4 > > (in > > > a adelton/freeipa-server docker) > > > which is a freeipa v4.2.3 running in > > > adelton/freeipa-server:lastest-systemd docker > > > > > > I found this ticket which looks similar: > > > https://fedorahosted.org/freeipa/ticket/5376 > > > > > > Is there something wrong with my replica knowing that it has been > > > replicated from a 4.1.4 ? > > > Is there a work-around ? > > > > > > Thanks > > > Karl > > > > Hi Karl, > > > > I have a patch for Dogtag that I think will fix this issue. Would > > you be willing to test it? If so, which version of Fedora/RHEL are > > you using and I will prepare a build. > > > > Regards, > > Fraser > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found
Hi Fraser, The ipa-replica-prepare ran in a adelton/freeipa-server:lastest-systemd docker, which I think is based on fedora 23 and contains freeIPA v 4.2.3. I can try to patch it, but I'm really not used to fedora, and moreover there's a debian/docker bug that prevents me from building the docker image on my computers. Thanks, Karl On Tue, Dec 22, 2015 at 2:46 AM, Fraser Tweedale wrote: > On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote: > > Hello, > > > > Running: > > ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v > > fails > > with > > ipa: DEBUG: Protocol: TLS1.2 > > ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA > > ipa: DEBUG: request status 200 > > ipa: DEBUG: request reason_phrase u'OK' > > ipa: DEBUG: request headers {'date': 'Mon, 21 Dec 2015 12:50:59 GMT', > > 'content-length': '148', 'content-type': 'application/xml', 'server': > > 'Apache-Coyote/1.1'} > > ipa: DEBUG: request body ' > standalone="no"?>1Profile > > caIPAserviceCert Not Found' > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > > execute > > > > The context is probably unusual: > > I run the command on a replica with CA from a server in freeipa v4.1.4 > (in > > a adelton/freeipa-server docker) > > which is a freeipa v4.2.3 running in > > adelton/freeipa-server:lastest-systemd docker > > > > I found this ticket which looks similar: > > https://fedorahosted.org/freeipa/ticket/5376 > > > > Is there something wrong with my replica knowing that it has been > > replicated from a 4.1.4 ? > > Is there a work-around ? > > > > Thanks > > Karl > > Hi Karl, > > I have a patch for Dogtag that I think will fix this issue. Would > you be willing to test it? If so, which version of Fedora/RHEL are > you using and I will prepare a build. > > Regards, > Fraser > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found
On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote: > Hello, > > Running: > ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v > fails > with > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA > ipa: DEBUG: request status 200 > ipa: DEBUG: request reason_phrase u'OK' > ipa: DEBUG: request headers {'date': 'Mon, 21 Dec 2015 12:50:59 GMT', > 'content-length': '148', 'content-type': 'application/xml', 'server': > 'Apache-Coyote/1.1'} > ipa: DEBUG: request body ' standalone="no"?>1Profile > caIPAserviceCert Not Found' > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > > The context is probably unusual: > I run the command on a replica with CA from a server in freeipa v4.1.4 (in > a adelton/freeipa-server docker) > which is a freeipa v4.2.3 running in > adelton/freeipa-server:lastest-systemd docker > > I found this ticket which looks similar: > https://fedorahosted.org/freeipa/ticket/5376 > > Is there something wrong with my replica knowing that it has been > replicated from a 4.1.4 ? > Is there a work-around ? > > Thanks > Karl Hi Karl, I have a patch for Dogtag that I think will fix this issue. Would you be willing to test it? If so, which version of Fedora/RHEL are you using and I will prepare a build. Regards, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project