I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6.
I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass.
Here is the error
Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'.
I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain'
Any help would really be appreciated. This is really holding me up.
Brian Weaver via FreeIPA-users wrote:
I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6.
I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass.
Here is the error
Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'.
I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain'
Any help would really be appreciated. This is really holding me up.
4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA.
rob
So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install.
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=... ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion?
Any help would definitely be appreciated. Do I need to step back to F26?
On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden rcritten@redhat.com wrote:
Brian Weaver via FreeIPA-users wrote:
I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6.
I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass.
Here is the error
Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'.
I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain'
Any help would really be appreciated. This is really holding me up.
4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA.
rob
Brian Weaver via FreeIPA-users wrote:
So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install.
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=... ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion?
Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded?
rob
Any help would definitely be appreciated. Do I need to step back to F26?
On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass. Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'. I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me up. 4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA. rob
--
/* insert witty comment here */
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden rcritten@redhat.com wrote:
Brian Weaver via FreeIPA-users wrote:
So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install.
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert% 20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI 6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHup fnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZni rNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9 wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VD FnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9e dx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_ rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3 R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pS optG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73 vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_ UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5 tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_ 5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN 71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv3 8nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTW GLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1Uzt vxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0- I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8Lil NUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiV K5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion?
Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded?
rob
Any help would definitely be appreciated. Do I need to step back to F26?
On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass. Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed
(CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'. I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me
up.
4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA. rob
Here's a block of the log from the relevant time.
[Thu May 03 09:48:02.139175 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34882] ipa: INFO: [xmlserver] admin@IPA.DOMAIN: join('ipa-server1.ipa.domain', nshardwareplatform='x86_64', nsosversion='4.16.5-200.fc27.x86_64', version='2.51'): SUCCESS [Thu May 03 09:48:02.470757 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34894] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: schema(version='2.170'): SUCCESS [Thu May 03 09:48:04.225272 2018] [:warn] [pid 16580:tid 140079049684736] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.233942 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 09:48:04.238942 2018] [:warn] [pid 16580:tid 140079041292032] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.249753 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: ca_is_enabled(version='2.107'): SUCCESS [Thu May 03 09:48:04.838205 2018] [:warn] [pid 16580:tid 140079032899328] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.859736 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: host_mod('ipa-server1.ipa.domain', ipasshpubkey=('ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz [Thu May 03 09:48:09.542153 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34920] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: env(('version',)): SUCCESS [Thu May 03 09:48:09.560313 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34920] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: env(('fips_mode',)): SUCCESS [Thu May 03 09:48:23.698644 2018] [:warn] [pid 16265:tid 140079133611776] [client 192.168.44.250:58032] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:23.720234 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58032] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsrecord_add/1('46.168.192.in-addr.arpa', <DNS name 252>, ptrrecord=('ipa-server1.ipa.domain.',), version='2.229'): EmptyModlist [Thu May 03 09:48:38.293949 2018] [:warn] [pid 16580:tid 140079016113920] [client 192.168.44.250:58036] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:38.318277 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58036] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsrecord_add/1('44.168.192.in-addr.arpa', <DNS name 250>, ptrrecord=('ipa-server0.ipa.domain.',), version='2.229'): SUCCESS [Thu May 03 09:48:43.746399 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34958] ipa: INFO: [jsonserver_kerb] admin@IPA.DOMAIN: ping/1(version='2.229'): SUCCESS [Thu May 03 09:48:45.295163 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34958] ipa: INFO: [jsonserver_kerb] admin@IPA.DOMAIN: server_conncheck('ipa-server0.ipa.domain', 'ipa-server1.ipa.domain', version='2.162'): SUCCESS [Thu May 03 09:49:24.029002 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:35018] ipa: INFO: [xmlserver] host/ipa-server1.ipa.domain@IPA.DOMAIN: cert_request('MIIEBjCCAu4CAQAwSDEcMBoGA1UEChMTSVBBLlNVTkJJUkREQ0lNLkNPTTEoMCYGA1UEAxMfaXBhLXNlcnZlcjEuaXBhLnN1bmJpcmRkY2ltLmNvbT [Thu May 03 09:50:27.397261 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:35058] ipa: INFO: [xmlserver] host/ipa-server1.ipa.domain@IPA.DOMAIN: cert_request('MIIEBjCCAu4CAQAwSDEcMBoGA1UEChMTSVBBLlNVTkJJUkREQ0lNLkNPTTEoMCYGA1UEAxMfaXBhLXNlcnZlcjEuaXBhLnN1bmJpcmRkY2ltLmNvbT [Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid 140079032899328] (20014)Internal error (specific information not available): [client 192.168.46.252:35086] AH01084: pass request body failed to 0.0.0.0:0 (httpd-UDS) [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid 140079032899328] [client 192.168.46.252:35086] AH01097: pass request body failed to 0.0.0.0:0 (httpd-UDS) from 192.168.46.252 () [Thu May 03 10:13:42.746937 2018] [:warn] [pid 16580:tid 140079049684736] [client 192.168.44.250:58124] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:42.758777 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58124] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:13:42.787775 2018] [:warn] [pid 16580:tid 140079041292032] [client 192.168.44.250:58124] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:42.806736 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58124] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsconfig_show/1(version='2.229'): SUCCESS [Thu May 03 10:13:51.198493 2018] [:warn] [pid 16580:tid 140079024506624] [client 192.168.44.250:58130] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:51.207219 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58130] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:13:51.233977 2018] [:warn] [pid 16580:tid 140079016113920] [client 192.168.44.250:58130] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:51.249541 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58130] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsconfig_show/1(all=True, version='2.229'): SUCCESS [Thu May 03 10:14:44.574564 2018] [:warn] [pid 16580:tid 140079083255552] [client 192.168.44.250:58144] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:14:44.583901 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58144] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:14:52.217033 2018] [:warn] [pid 16580:tid 140079091648256] [client 192.168.44.250:58144] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:14:52.233562 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58144] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnszone_show/1('ipa.domain.', version='2.229'): SUCCESS
Brian Weaver wrote:
On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote: So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk <https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk> ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion? Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded? rob Any help would definitely be appreciated. Do I need to step back to F26? On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass. Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'. I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me up. 4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA. rob
[Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid 140079032899328] (20014)Internal error (specific information not available): [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01084: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid 140079032899328] [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01097: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) from 192.168.46.252 ()
What version of httpd and mod_nss do you have installed?
rob
Sadly, nothing now. It would be whatever was standard in a FC 27 install. I had to abandon FreeIPA due to time constraints and I moved back to stock Bind9. System Admin work is one of those "extra" task I have and not my primary job. I simply ran out of time; 4 days of lost productivity has my management a bit unhappy. Sorry I didn't save the VM.
I did find one other quirk of using FreeIPA vs stock Bind9. Seems that FreeIPA will allow you to create a hostname with an underscore. Bind9 complained bitterly about that. It'd have been nice if FreeIPA would have warned or prohibited me from adding the underscore in the first place. Granted it may be that Bind9 is being too restrictive.
On Thu, May 3, 2018 at 11:40 AM, Rob Crittenden rcritten@redhat.com wrote:
Brian Weaver wrote:
On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote: So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%
20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI 6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHup fnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZni rNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9 wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VD FnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9e dx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_ rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3 R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pS optG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73 vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_ UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5 tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_ 5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN 71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv3 8nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTW GLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1Uzt vxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0- I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8Lil NUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiV K5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert% 20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI 6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHup fnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZni rNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9 wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VD FnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9e dx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_ rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3 R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pS optG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73 vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_ UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5 tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_ 5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN 71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv3 8nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTW GLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1Uzt vxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0- I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8Lil NUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiV K5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion? Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded? rob Any help would definitely be appreciated. Do I need to step back to F26? On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried
Google, cleaned up the directory of the server entries, etc. I'm at an impass.
Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. I was going to get the error from the log directory. I
ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'.
I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me up. 4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for
IPA.
rob
[Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid 140079032899328] (20014)Internal error (specific information not available): [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01084: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid 140079032899328] [client 192.168.46.252:35086 http://192.168.46.252:35086] AH01097: pass request body failed to 0.0.0.0:0 http://0.0.0.0:0 (httpd-UDS) from 192.168.46.252 ()
What version of httpd and mod_nss do you have installed?
rob
On pe, 04 touko 2018, Brian Weaver via FreeIPA-users wrote:
Sadly, nothing now. It would be whatever was standard in a FC 27 install. I had to abandon FreeIPA due to time constraints and I moved back to stock Bind9. System Admin work is one of those "extra" task I have and not my primary job. I simply ran out of time; 4 days of lost productivity has my management a bit unhappy. Sorry I didn't save the VM.
I did find one other quirk of using FreeIPA vs stock Bind9. Seems that FreeIPA will allow you to create a hostname with an underscore. Bind9 complained bitterly about that. It'd have been nice if FreeIPA would have warned or prohibited me from adding the underscore in the first place. Granted it may be that Bind9 is being too restrictive.
"check-names ignore;" in the named.conf would have enabled you to deal with underscores in hostnames in Bind9.
http://www.zytrax.com/books/dns/ch7/zone.html#check-names
Brian Weaver via FreeIPA-users wrote:
Sadly, nothing now. It would be whatever was standard in a FC 27 install. I had to abandon FreeIPA due to time constraints and I moved back to stock Bind9. System Admin work is one of those "extra" task I have and not my primary job. I simply ran out of time; 4 days of lost productivity has my management a bit unhappy. Sorry I didn't save the VM.
Ok, sorry you had such a lousy experience.
I think this is related to a change made in httpd recently that broke proxy support in mod_nss. There is a pending change in mod_nss to address this but it is stuck in updates-testing so I suspect you didn't have the fixed version.
rob
I did find one other quirk of using FreeIPA vs stock Bind9. Seems that FreeIPA will allow you to create a hostname with an underscore. Bind9 complained bitterly about that. It'd have been nice if FreeIPA would have warned or prohibited me from adding the underscore in the first place. Granted it may be that Bind9 is being too restrictive.
On Thu, May 3, 2018 at 11:40 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Brian Weaver wrote: On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Brian Weaver via FreeIPA-users wrote: So given that 4.6 wasn't going to work nicely with F28, I decided to rollback to F27. I also DID NOT use the COPR repo; just what was stock with F27. I'm still unable to create a replica. I get the following error on the replica install. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait until this has completed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR 400 Client Error: Bad Request for url: https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk <https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk> <https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk <https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk>> ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Any ideas why I'd get a 400 error. This is the same error I when I did use the COPR repo with F27. I *thought* it would work if I'd stop trying to jump ahead on the software version by skipping COPR. This is getting downright frustrating. How many people setup a FreeIPA server and don't setup at least 1 replica? Wouldn't that be a basic use case for testing before inclusion? Can you look in /var/log/httpd/error_log on the existing master around this time to see what requests it may have gotten and how it responded? rob Any help would definitely be appreciated. Do I need to step back to F26? On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: Brian Weaver via FreeIPA-users wrote: I had issues with my old FreeIPA installation so I rebuilt using Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. I managed successfully setup the server and import my DNS data. Now when I try to create a replica it is blowing up. When I run "ipa-replica-install --principal admin@IPA.${DOMAIN} -w 'uber-secret-password' -N" it's failing. I've tried Google, cleaned up the directory of the server entries, etc. I'm at an impass. Here is the error Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. I was going to get the error from the log directory. I ran uninstall before I thought about it. Then when I try again it fails on "entry already exists". So when I run uninstall again I have to do 'ipa server-del ipa-server1.ipa.domain'. I'm having no luck and it fails at random places. For example after the last cleanup I got "Insufficient Access" with write privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' Any help would really be appreciated. This is really holding me up. 4.6 is probably not going to work nicely in F28. NSS changed the default database type and that caused a lot of issues for IPA. rob > [Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid > 140079032899328] (20014)Internal error (specific information not > available): [client 192.168.46.252:35086 <http://192.168.46.252:35086> <http://192.168.46.252:35086>] > AH01084: pass request body failed to 0.0.0.0:0 <http://0.0.0.0:0> <http://0.0.0.0:0> > (httpd-UDS) > [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid > 140079032899328] [client 192.168.46.252:35086 <http://192.168.46.252:35086> > <http://192.168.46.252:35086>] AH01097: pass request body failed to > 0.0.0.0:0 <http://0.0.0.0:0> <http://0.0.0.0:0> (httpd-UDS) from 192.168.46.252 () What version of httpd and mod_nss do you have installed? rob
--
/* insert witty comment here */
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I'll try again in the future when time permits. I understand things break; bad timing in many respects.
I'm not sour on FreeIPA so much as frustrated with the fact that so many issues aligned badly at once in my environment.
On Fri, May 4, 2018 at 10:23 AM, Rob Crittenden rcritten@redhat.com wrote:
Ok, sorry you had such a lousy experience.
I think this is related to a change made in httpd recently that broke proxy support in mod_nss. There is a pending change in mod_nss to address this but it is stuck in updates-testing so I suspect you didn't have the fixed version.
rob
freeipa-users@lists.fedorahosted.org