View Issue Details

IDProjectCategoryView StatusLast Update
0008252Rocky-Linux-8ipapublic2024-11-27 05:27
ReporterDieter Kvasnicka Assigned ToLouis Abel  
PrioritynormalSeveritymajorReproducibilityalways
Status needinfoResolutionopen 
PlatformIntelOSRocky LinuxOS Version8.10
Summary0008252: ipa-replica-install does not work with parameter --setup-ca due to certificate problems
DescriptionReplication of the certificate authority (CA) fails when trying to start pki-tomcat.
pki-tomcat service does not start, which leads to a failure of the installation.

Two methods are equal:
* ipa-replica-install --setup-ca
* ipa-ca-install
both give the same error.
Steps To Reproduce1. Have a running ipa server, including CA
2. On another host, run
  ipa-replica-install --setup-ca

After failure of the installation, a cleanup is required
* ipa-server-install --uninstall (on the replica host)
* remove replica host from ipa with
  ipa server-del –force $replica_host
Additional Information> rpm -qa | grep ipa-server-4
ipa-server-4.9.13-12.module+el8.10.0+1845+84a5752e.x86_64

Workaround (see also https://bugzilla.redhat.com/show_bug.cgi?id=1358752, comment 59)
* ipa-replica-install without --setup-ca
* ipa-certupdate on primary ipa server and ipa replica
* ipa-ca-install
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2024-11-18 08:08

administrator   ~0008812

Thank you for the report. I have setup a lab of two domain controllers using Rocky Linux 8 using the following commands:

# ipa server
hostnamectl set-hostname ipa01.etcskel.com
ipa-server-install --setup-ca --realm ETCSKEL.COM --domain etcskel.com -p "password1" -a "password1" --ip-address 10.100.0.156
firewall-cmd --add-service freeipa-4
firewall-cmd --add-service dns
firewall-cmd --runtime-to-permanent

# ipa replica
hostnamectl set-hostname ipa02.etcskel.com
ipa-client-install --realm ETCSKEL.COM --domain etcskel.com
firewall-cmd --add-service freeipa-4
firewall-cmd --add-service dns
firewall-cmd --runtime-to-permanent
ipa-replica-install --setup-ca --ip-address 10.100.0.157

This yields a successful installation.

[root@ipa02 ~]# ipa config-show
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: etcskel.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: False
  Certificate Subject base: O=ETCSKEL.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: ipa01.etcskel.com, ipa02.etcskel.com
  IPA master capable of PKINIT: ipa01.etcskel.com, ipa02.etcskel.com
  IPA CA servers: ipa01.etcskel.com, ipa02.etcskel.com
  IPA CA renewal master: ipa01.etcskel.com
  IPA DNS servers: ipa01.etcskel.com
[root@ipa02 ~]# ipa server-role-show ipa02.etcskel.com "CA server"
  Server name: ipa02.etcskel.com
  Role name: CA server
  Role status: enabled
[root@ipa02 ~]# ipa server-role-show ipa01.etcskel.com "CA server"
  Server name: ipa01.etcskel.com
  Role name: CA server
  Role status: enabled

--

What are the resources on these systems (CPU, RAM)

Did your original IPA server start with a CA in the beginning and you added a CA after? Your referenced workaround is on a bug report for going from CA-less to CA-full.

Can you provide logs of pki-tomcat, ipaserver-install.log from the original IPA server, and ipareplica-install.log from the original failure?
Dieter Kvasnicka

Dieter Kvasnicka

2024-11-18 09:28

reporter   ~0008813

Due to size limitations, I have to send the log files separately.
Here is the ipaserver-install.log
ipaserver-install.log (4,479,518 bytes)
Dieter Kvasnicka

Dieter Kvasnicka

2024-11-18 09:29

reporter   ~0008814

And the ipareplica-install.log
ipareplica-install.log (677,761 bytes)
Dieter Kvasnicka

Dieter Kvasnicka

2024-11-18 09:33

reporter   ~0008815

Thank you for the quick answer.

The hosts have 64GB RAM and 16 VCPUs each, running in an OpenStack environment.

I did not install the CA on the ipaserver at all, this was done somewhere automatically.
With ipa server-role-show it says 'enabled'.

The workaround is several years old and a bit different from my situation, but it is where I got the inspiration for the workaround.

The logs for ipaserver-install and ipareplica-install have been submitted separately.
For pki-tomcat I do not have any useful log, except for the lines
-------------------------------
grep "pki-tomcatd@pki-tomcat" /var/log/messages
Nov 18 10:03:39 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Succeeded.
Nov 18 10:03:58 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Succeeded.
Nov 18 10:05:35 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
Nov 18 10:05:43 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'.
-------------------------------

I will try again with adding the parameter --setup-ca:
ipaserver-install --setup-ca
Dieter Kvasnicka

Dieter Kvasnicka

2024-11-18 11:48

reporter   ~0008816

Sorry, but my 'ipa-server-install' does not have a parameter '--setup-ca'.

Do you have any other version than this one?

# dnf info ipa-server
Last metadata expiration check: 0:55:23 ago on Mon 18 Nov 2024 11:51:43 AM CET.
Installed Packages
Name : ipa-server
Version : 4.9.13
Release : 12.module+el8.10.0+1845+84a5752e
Architecture : x86_64
Size : 1.1 M
Source : ipa-4.9.13-12.module+el8.10.0+1845+84a5752e.src.rpm
Repository : @System
From repo : appstream
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (users,
             : hosts, services), Authentication (SSO, 2FA), and Authorization
             : (host access control, SELinux user roles, services). The solution provides
             : features for further integration with Linux based clients (SUDO, automount)
             : and integration with Active Directory based infrastructures (Trusts).
             : If you are installing an IPA server, you need to install this package.
Louis Abel

Louis Abel

2024-11-27 01:30

administrator   ~0008912

No, --setup-ca was simply a typo on my end. Regardless, I cannot reproduce your issue.

I would look through /var/log/pki/pki-tomcat for logs that may provide a stacktraces of the possible issue and provide them here. Not all issues with pki-tomcat are logged in the journal or syslog.
Dieter Kvasnicka

Dieter Kvasnicka

2024-11-27 05:27

reporter   ~0008919

OK. Thanks. I'll try to track it further down.

Otherwise, if it works for you I expect it to work for other people, too.

Issue History

Date Modified Username Field Change
2024-11-18 07:16 Dieter Kvasnicka New Issue
2024-11-18 08:08 Louis Abel Assigned To => Louis Abel
2024-11-18 08:08 Louis Abel Status new => needinfo
2024-11-18 08:08 Louis Abel Note Added: 0008812
2024-11-18 09:28 Dieter Kvasnicka Note Added: 0008813
2024-11-18 09:28 Dieter Kvasnicka File Added: ipaserver-install.log
2024-11-18 09:29 Dieter Kvasnicka Note Added: 0008814
2024-11-18 09:29 Dieter Kvasnicka File Added: ipareplica-install.log
2024-11-18 09:33 Dieter Kvasnicka Note Added: 0008815
2024-11-18 11:48 Dieter Kvasnicka Note Added: 0008816
2024-11-27 01:30 Louis Abel Note Added: 0008912
2024-11-27 05:27 Dieter Kvasnicka Note Added: 0008919