I have looked through the mailing list as best as I know how and while I have found some similar issues, I am unable to find anything that I think will help me progress through this error.
We are trying to migrate FreeIPA services from centos 6.9 (IPA 3.0) to Centos 7.5 (IPS 4.5) by performing the migration steps located on the following link:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
I am trying to create a replica on a new server and then eventually migrate all services to that version of the server.
I can add an ipa 4.5 replica to a 3.x infrastructure by performing a replica prepare and ipa-replica-install (there are some errors with DNS replication but I am going to ignore those for now. I will elaborate if anyone asks).
However, when I try to add a CA with the ipa-ca-install command is where I run into trouble.
I run the following on the newly created replica:
ipa-ca-install -p "CENSORED" -w "CENSORED" -d --skip-conncheck /var/lib/ipa/replica-info-newreplica.domain.com.gpg
This generates the following error:
2018-09-12T06:30:59Z DEBUG [22/26]: migrating certificate profiles to LDAP 2018-09-12T06:30:59Z DEBUG Created connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG Destroyed connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG request GET https://ipaserver01.domain.com:8443/ca/rest/account/login 2018-09-12T06:30:59Z DEBUG request body '' 2018-09-12T06:30:59Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 218, in _httplib_request conn.request(method, uri, body=request_body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 1041, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 843, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1251, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 824, in connect self.timeout, self.source_address) File "/usr/lib64/python2.7/socket.py", line 571, in create_connection raise err error: [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e)) NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused
2018-09-12T06:30:59Z DEBUG [error] NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 998, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 311, in main install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 250, in install install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 207, in install_replica ca.install(True, config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 202, in install install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 279, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 448, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET'
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers)
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2018-09-12T06:30:59Z DEBUG The ipa-ca-install command failed, exception: NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused
On the Centos 7.5 server, there is a Tomcat (I think) process listening on port 8443 but on the older machine, there is nothing listening on this port. This certainly seems like an obvious problem but I just don't know where to go from here.
SELinux is running in permissive mode on both servers. I've considered disabling this to see if there's any effect but this seems like a reach.
Any help would be greatly appreciated.
Thanks,
Collin
CONFIDENTIALITY NOTICE: We intend only the individual or entity to which we have addressed this electronic message to view it. This message w/attachments (message) may contain information that is privileged, confidential or proprietary. You may not disseminate, distribute, copy or otherwise disclose the contents of this communication without our prior written consent. If you are not the intended recipient, or if you have received this communication in error, notify us immediately by return e-mail and delete the original message and any copies of it from your computer system.
On 9/12/18 11:35 PM, Collin Douglas via FreeIPA-users wrote:
I have looked through the mailing list as best as I know how and while I have found some similar issues, I am unable to find anything that I think will help me progress through this error.
We are trying to migrate FreeIPA services from centos 6.9 (IPA 3.0) to Centos 7.5 (IPS 4.5) by performing the migration steps located on the following link:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
I am trying to create a replica on a new server and then eventually migrate all services to that version of the server.
I can add an ipa 4.5 replica to a 3.x infrastructure by performing a replica prepare and ipa-replica-install (there are some errors with DNS replication but I am going to ignore those for now. I will elaborate if anyone asks).
However, when I try to add a CA with the ipa-ca-install command is where I run into trouble.
I run the following on the newly created replica:
ipa-ca-install -p "CENSORED" -w "CENSORED" -d --skip-conncheck /var/lib/ipa/replica-info-newreplica.domain.com.gpg
This generates the following error:
2018-09-12T06:30:59Z DEBUG [22/26]: migrating certificate profiles to LDAP 2018-09-12T06:30:59Z DEBUG Created connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG Destroyed connection context.ldap2_140117177941904 2018-09-12T06:30:59Z DEBUG request GET https://ipaserver01.domain.com:8443/ca/rest/account/login 2018-09-12T06:30:59Z DEBUG request body '' 2018-09-12T06:30:59Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 218, in _httplib_request conn.request(method, uri, body=request_body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 1041, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 843, in send self.connect() File "/usr/lib64/python2.7/httplib.py", line 1251, in connect HTTPConnection.connect(self) File "/usr/lib64/python2.7/httplib.py", line 824, in connect self.timeout, self.source_address) File "/usr/lib64/python2.7/socket.py", line 571, in create_connection raise err error: [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e)) NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused
2018-09-12T06:30:59Z DEBUG [error] NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused 2018-09-12T06:30:59Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 998, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 311, in main install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 250, in install install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 207, in install_replica ca.install(True, config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 202, in install install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 279, in install_step_0 use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 448, in configure_instance self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1732, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1738, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1293, in __enter__ method='GET'
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 165, in https_request method=method, headers=headers)
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 227, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2018-09-12T06:30:59Z DEBUG The ipa-ca-install command failed, exception: NetworkError: cannot connect to 'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111] Connection refused
On the Centos 7.5 server, there is a Tomcat (I think) process listening on port 8443 but on the older machine, there is nothing listening on this port. This certainly seems like an obvious problem but I just don't know where to go from here.
Hi Collin,
you seem to be hitting issue 7629: Replica installation fails with connection refused error [1] or issue 6878: Replica install fails during migration from older IPA master [2]
Both issues were fixed upstream, but the fix for 7629 is not available yet in CentOS 7.5.
HTH, flo
[1] https://pagure.io/freeipa/issue/7629 [2] https://pagure.io/freeipa/issue/6878
SELinux is running in permissive mode on both servers. I've considered disabling this to see if there's any effect but this seems like a reach.
Any help would be greatly appreciated.
Thanks,
Collin
CONFIDENTIALITY NOTICE: We intend only the individual or entity to which we have addressed this electronic message to view it. This message w/attachments (message) may contain information that is privileged, confidential or proprietary. You may not disseminate, distribute, copy or otherwise disclose the contents of this communication without our prior written consent. If you are not the intended recipient, or if you have received this communication in error, notify us immediately by return e-mail and delete the original message and any copies of it from your computer system. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Good gravy you're right!
I found some other bugs that didn't quite apply but I never found this one. Your kung fu is mighty indeed.
Thank you for the reply.
freeipa-users@lists.fedorahosted.org