Hi Rob,
Thanks for the tip.
I don't see errors that I've found before, but quite some errors.
In attachment is the result of
grep -v SUCCESS /var/log/httpd/error_log
for today.
I've also tried to replicate the error that I got with ipa-replica-install,
during the server upgrade step.
I ran ipa-server-upgrade -v on ipa02, and got the same error
"ipaserver.install.ldapupdate: ERROR Add failure attribute "cn" not
allowed".
I also see something else that is strane in the output
of ipa-server-upgrade -v:
Failed to check CA status: cannot connect to '
;: [Errno 113] No
route to host
I wonder why 8080. Shouldn't this be on 80?
[root@ipa02 ~]# curl 'http://ipa01.hq.spinque.com:8080/ca/admin/ca/getStatus
'
curl: (7) Failed connect to ipa01.hq.spinque.com:8080; No route to host
[root@ipa02 ~]# curl 'http://ipa01.hq.spinque.com/ca/admin/ca/getStatus'
<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.2.6-20.fc23</Version></XMLResponse>
Roberto
On Thu, 23 Jul 2020 at 19:08, Rob Crittenden <rcritten(a)redhat.com> wrote:
Roberto Cornacchia via FreeIPA-users wrote:
> ipa-replica-conncheck fails with --auto-master-check (used by
> ipa-ca-install), but not without:
>
>
> [root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master
>
ipa01.hq.spinque.com <
http://ipa01.hq.spinque.com> --auto-master-check
> --realm
HQ.SPINQUE.COM <
http://HQ.SPINQUE.COM> --hostname
>
ipa02.hq.spinque.com <
http://ipa02.hq.spinque.com>
> Check connection from replica to remote master 'ipa01.hq.spinque.com
> <
http://ipa01.hq.spinque.com>';:
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocoland would need to be
> checked manually:
> Kerberos KDC: UDP (88): SKIPPED
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> 389 tcp: Failed to bind
> 636 tcp: Failed to bind
> 88 tcp: Failed to bind
> 88 udp: Failed to bind
> 464 tcp: Failed to bind
> 464 udp: Failed to bind
> 80 tcp: Failed to bind
> 443 tcp: Failed to bind
> Get credentials to log in to remote master
> Check RPC connection to remote master
> trying
https://ipa01.hq.spinque.com/ipa/session/json
> *Connection to
https://ipa01.hq.spinque.com/ipa/session/json failed with
> <ProtocolError for
ipa01.hq.spinque.com/ipa/session/json
> <
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server
Error>*
> trying
https://ipa02.hq.spinque.com/ipa/session/json
> [try 1]: Forwarding 'schema' to json server
> 'https://ipa02.hq.spinque.com/ipa/session/json'
> trying
https://ipa01.hq.spinque.com/ipa/session/json
> Connection to
https://ipa01.hq.spinque.com/ipa/session/json failed with
> <ProtocolError for
ipa01.hq.spinque.com/ipa/session/json
> <
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server
Error>
> trying
https://ipa02.hq.spinque.com/ipa/session/json
> [try 1]: Forwarding 'ping/1' to json server
> 'https://ipa02.hq.spinque.com/ipa/session/json'
> Execute check on remote master
> [try 1]: Forwarding 'server_conncheck' to json server
> 'https://ipa02.hq.spinque.com/ipa/session/json'
> *ERROR: Remote master check failed with following error message(s):
> invalid 'cn': must be "ipa02.hq.spinque.com
<
http://ipa02.hq.spinque.com
>"*
>
>
> Now, without --auto-master-check:
>
> On ipa02 (I suppose the many "Failed to bind" below are expected?):
> [root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master
>
ipa01.hq.spinque.com <
http://ipa01.hq.spinque.com> --realm
>
HQ.SPINQUE.COM <
http://HQ.SPINQUE.COM> --hostname
ipa02.hq.spinque.com
> <
http://ipa02.hq.spinque.com>
> Check connection from replica to remote master 'ipa01.hq.spinque.com
> <
http://ipa01.hq.spinque.com>';:
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocoland would need to be
> checked manually:
> Kerberos KDC: UDP (88): SKIPPED
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> 389 tcp: Failed to bind
> 636 tcp: Failed to bind
> 88 tcp: Failed to bind
> 88 udp: Failed to bind
> 464 tcp: Failed to bind
> 464 udp: Failed to bind
> 80 tcp: Failed to bind
> 443 tcp: Failed to bind
> Listeners are started. Use CTRL+C to terminate the listening part after
> the test.
>
> Please run the following command on remote master:
> /usr/sbin/ipa-replica-conncheck --replica
ipa02.hq.spinque.com
> <
http://ipa02.hq.spinque.com>
> ^C
> Cleaning up...
>
> On ipa01:
> [root@ipa01 ~]# /usr/sbin/ipa-replica-conncheck --replica
>
ipa02.hq.spinque.com <
http://ipa02.hq.spinque.com>
> Check connection from master to remote replica 'ipa02.hq.spinque.com
> <
http://ipa02.hq.spinque.com>';:
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): WARNING
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): WARNING
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
> The following UDP ports could not be verified as open: 88, 464
> This can happen if they are already bound to an application
> and ipa-replica-conncheck cannot attach own UDP responder.
>
> Connection from master to replica is OK.
>
>
>
> On Thu, 23 Jul 2020 at 15:15, Roberto Cornacchia
> <roberto.cornacchia(a)gmail.com <mailto:roberto.cornacchia@gmail.com>>
wrote:
>
> Hi,
>
> I have successfully created a replica from a 4.2.4 master (ipa01)
> into a new 4.6.6 master (ipa02).
>
> I did it without --setup-ca option (because it had failed), so the
> only CA is still on the 4.2.4 server (ipa01).
>
> When I try to setup theCA on ipa02 (the same replica file was used
> with ipa-replica-install), this fails:
>
> $ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg
> Directory Manager (existing master) password:
>
> Run connection check to master
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Connection check failed!
> See /var/log/ipareplica-conncheck.log for more information.
> If the check results are not valid it can be skipped with
> --skip-conncheck parameter.
>
> The log of conncheck (generated by ipa-ca-install) is in attachment.
> In there, I can see a couple of things going wrong:
>
> ProtocolError: <ProtocolError for
>
ipa01.hq.spinque.com/ipa/session/json
> <
http://ipa01.hq.spinque.com/ipa/session/json>: 500 Internal Server
> Error>
> ...
> 2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with
> following error message(s):
> invalid 'cn': must be "ipa02.hq.spinque.com
> <
http://ipa02.hq.spinque.com>"
>
> Not sure if relevant, but also ipa-replica-install, though it
> completed successfully, gave this error:
>
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
> [1/10]: stopping directory server
> [2/10]: saving configuration
> [3/10]: disabling listeners
> [4/10]: enabling DS global lock
> [5/10]: disabling Schema Compat
> [6/10]: starting directory server
> [7/10]: upgrading server
> ipaserver.install.ldapupdate: ERROR Add failure attribute "cn"
> not allowed
> [8/10]: stopping directory server
> [9/10]: restoring configuration
> [10/10]: starting directory server
>
>
> Could you please help me find the issue?
Look on
ipa01.hq.spinque.com in /var/log/httpd/error_log for those
internal errors.
rob