View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008252 | Rocky-Linux-8 | ipa | public | 2024-11-18 07:16 | 2024-11-27 05:27 |
Reporter | Dieter Kvasnicka | Assigned To | Louis Abel | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | needinfo | Resolution | open | ||
Platform | Intel | OS | Rocky Linux | OS Version | 8.10 |
Summary | 0008252: ipa-replica-install does not work with parameter --setup-ca due to certificate problems | ||||
Description | Replication of the certificate authority (CA) fails when trying to start pki-tomcat. pki-tomcat service does not start, which leads to a failure of the installation. Two methods are equal: * ipa-replica-install --setup-ca * ipa-ca-install both give the same error. | ||||
Steps To Reproduce | 1. Have a running ipa server, including CA 2. On another host, run ipa-replica-install --setup-ca After failure of the installation, a cleanup is required * ipa-server-install --uninstall (on the replica host) * remove replica host from ipa with ipa server-del –force $replica_host | ||||
Additional Information | > rpm -qa | grep ipa-server-4 ipa-server-4.9.13-12.module+el8.10.0+1845+84a5752e.x86_64 Workaround (see also https://bugzilla.redhat.com/show_bug.cgi?id=1358752, comment 59) * ipa-replica-install without --setup-ca * ipa-certupdate on primary ipa server and ipa replica * ipa-ca-install | ||||
Tags | No tags attached. | ||||
Thank you for the report. I have setup a lab of two domain controllers using Rocky Linux 8 using the following commands: # ipa server hostnamectl set-hostname ipa01.etcskel.com ipa-server-install --setup-ca --realm ETCSKEL.COM --domain etcskel.com -p "password1" -a "password1" --ip-address 10.100.0.156 firewall-cmd --add-service freeipa-4 firewall-cmd --add-service dns firewall-cmd --runtime-to-permanent # ipa replica hostnamectl set-hostname ipa02.etcskel.com ipa-client-install --realm ETCSKEL.COM --domain etcskel.com firewall-cmd --add-service freeipa-4 firewall-cmd --add-service dns firewall-cmd --runtime-to-permanent ipa-replica-install --setup-ca --ip-address 10.100.0.157 This yields a successful installation. [root@ipa02 ~]# ipa config-show Maximum username length: 32 Maximum hostname length: 64 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: etcskel.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: False Certificate Subject base: O=ETCSKEL.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipa01.etcskel.com, ipa02.etcskel.com IPA master capable of PKINIT: ipa01.etcskel.com, ipa02.etcskel.com IPA CA servers: ipa01.etcskel.com, ipa02.etcskel.com IPA CA renewal master: ipa01.etcskel.com IPA DNS servers: ipa01.etcskel.com [root@ipa02 ~]# ipa server-role-show ipa02.etcskel.com "CA server" Server name: ipa02.etcskel.com Role name: CA server Role status: enabled [root@ipa02 ~]# ipa server-role-show ipa01.etcskel.com "CA server" Server name: ipa01.etcskel.com Role name: CA server Role status: enabled -- What are the resources on these systems (CPU, RAM) Did your original IPA server start with a CA in the beginning and you added a CA after? Your referenced workaround is on a bug report for going from CA-less to CA-full. Can you provide logs of pki-tomcat, ipaserver-install.log from the original IPA server, and ipareplica-install.log from the original failure? |
|
Due to size limitations, I have to send the log files separately. Here is the ipaserver-install.log |
|
And the ipareplica-install.log | |
Thank you for the quick answer. The hosts have 64GB RAM and 16 VCPUs each, running in an OpenStack environment. I did not install the CA on the ipaserver at all, this was done somewhere automatically. With ipa server-role-show it says 'enabled'. The workaround is several years old and a bit different from my situation, but it is where I got the inspiration for the workaround. The logs for ipaserver-install and ipareplica-install have been submitted separately. For pki-tomcat I do not have any useful log, except for the lines ------------------------------- grep "pki-tomcatd@pki-tomcat" /var/log/messages Nov 18 10:03:39 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Succeeded. Nov 18 10:03:58 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Succeeded. Nov 18 10:05:35 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping. Nov 18 10:05:43 devzk01 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. ------------------------------- I will try again with adding the parameter --setup-ca: ipaserver-install --setup-ca |
|
Sorry, but my 'ipa-server-install' does not have a parameter '--setup-ca'. Do you have any other version than this one? # dnf info ipa-server Last metadata expiration check: 0:55:23 ago on Mon 18 Nov 2024 11:51:43 AM CET. Installed Packages Name : ipa-server Version : 4.9.13 Release : 12.module+el8.10.0+1845+84a5752e Architecture : x86_64 Size : 1.1 M Source : ipa-4.9.13-12.module+el8.10.0+1845+84a5752e.src.rpm Repository : @System From repo : appstream Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (users, : hosts, services), Authentication (SSO, 2FA), and Authorization : (host access control, SELinux user roles, services). The solution provides : features for further integration with Linux based clients (SUDO, automount) : and integration with Active Directory based infrastructures (Trusts). : If you are installing an IPA server, you need to install this package. |
|
No, --setup-ca was simply a typo on my end. Regardless, I cannot reproduce your issue. I would look through /var/log/pki/pki-tomcat for logs that may provide a stacktraces of the possible issue and provide them here. Not all issues with pki-tomcat are logged in the journal or syslog. |
|
OK. Thanks. I'll try to track it further down. Otherwise, if it works for you I expect it to work for other people, too. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2024-11-18 07:16 | Dieter Kvasnicka | New Issue | |
2024-11-18 08:08 | Louis Abel | Assigned To | => Louis Abel |
2024-11-18 08:08 | Louis Abel | Status | new => needinfo |
2024-11-18 08:08 | Louis Abel | Note Added: 0008812 | |
2024-11-18 09:28 | Dieter Kvasnicka | Note Added: 0008813 | |
2024-11-18 09:28 | Dieter Kvasnicka | File Added: ipaserver-install.log | |
2024-11-18 09:29 | Dieter Kvasnicka | Note Added: 0008814 | |
2024-11-18 09:29 | Dieter Kvasnicka | File Added: ipareplica-install.log | |
2024-11-18 09:33 | Dieter Kvasnicka | Note Added: 0008815 | |
2024-11-18 11:48 | Dieter Kvasnicka | Note Added: 0008816 | |
2024-11-27 01:30 | Louis Abel | Note Added: 0008912 | |
2024-11-27 05:27 | Dieter Kvasnicka | Note Added: 0008919 |