Brian Weaver wrote:
On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote: So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk <https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk> ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion? Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded? rob Any help would definitely be appreciated. Do I need to step back to F26? On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass. Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'. I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me up. 4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA. rob
[Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid 140079032899328] (20014)Internal error (specific information not available): [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01084: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid 140079032899328] [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01097: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) from 192.168.46.252 ()
What version of httpd and mod_nss do you have installed?
rob