Thanks Rob.
Great suggestion - new error. So close.
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR 406 Client Error: Failed to validate message: No recipient
matched the provided key["Failed: [ValueError('Decryption failed.',)]"]
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Same info in the log file too -- off to investigate.
K
On 2/28/18 21:58, Rob Crittenden wrote:
Uncommonkat wrote:
> Since I have other CA’s, is there an easy way to uninstall just the CA on one?
There is no way to uninstall a CA without removing the entire master.
I have a better idea.
Uninstall the failed replica and create /etc/ipa/installer.conf with the
contents:
[global]
ca_host = <the CA you want to point to>
Re-run ipa-replica-install and it should work.
Post-install make sure there is a similar ca_host entry in
/etc/ipa/default.conf and things should be fine.
You won't need installer.conf post-install so remove it afterwards.
If you ever decide to install a CA on this replica it would be a good
idea to remove that entry first. In all likelihood the CA installer
would update/replace it anyway but better safe than sorry.
I haven't tested this but it came at me like a bolt of lightning so it
can't be wrong, right?
rob
>> On Feb 28, 2018, at 16:54, Rob Crittenden <rcritten(a)redhat.com> wrote:
>>
>> Kat via FreeIPA-users wrote:
>>> Ok, here I go again - this does not make sense. Looking at this
>>> topology - but for a moment, ignore IPAP1, as that is the one I an
>>> trying to add:
>>>
>>>
>>> The problem is - IPAC1 is on the other side of a firewall from IPAP1,
>>> and only IPAC is permitted to talk to it, but that should not be a problem.
>>>
>>> When I add IPAP1 in as a replica, it gets as far as:
>>>
>>> Continue? [no]: yes
>>> Run connection check to master
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 30 seconds
>>> [1/40]: creating directory server instance
>>> [2/40]: enabling ldapi
>>> [3/40]: configure autobind for root
>>> [4/40]: stopping directory server
>>> [5/40]: updating configuration in dse.ldif
>>> [6/40]: starting directory server
>>> [7/40]: adding default schema
>>> [8/40]: enabling memberof plugin
>>> [9/40]: enabling winsync plugin
>>> [10/40]: configuring replication version plugin
>>> [11/40]: enabling IPA enrollment plugin
>>> [12/40]: configuring uniqueness plugin
>>> [13/40]: configuring uuid plugin
>>> [14/40]: configuring modrdn plugin
>>> [15/40]: configuring DNS plugin
>>> [16/40]: enabling entryUSN plugin
>>> [17/40]: configuring lockout plugin
>>> [18/40]: configuring topology plugin
>>> [19/40]: creating indices
>>> [20/40]: enabling referential integrity plugin
>>> [21/40]: configuring certmap.conf
>>> [22/40]: configure new location for managed entries
>>> [23/40]: configure dirsrv ccache
>>> [24/40]: enabling SASL mapping fallback
>>> [25/40]: restarting directory server
>>> [26/40]: creating DS keytab
>>> [27/40]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> Update in progress, 3 seconds elapsed
>>> Update succeeded
>>>
>>> [28/40]: adding sasl mappings to the directory
>>> [29/40]: updating schema
>>> [30/40]: setting Auto Member configuration
>>> [31/40]: enabling S4U2Proxy delegation
>>> [32/40]: initializing group membership
>>> [33/40]: adding master entry
>>> [34/40]: initializing domain level
>>> [35/40]: configuring Posix uid/gid generation
>>> [36/40]: adding replication acis
>>> [37/40]: activating sidgen plugin
>>> [38/40]: activating extdom plugin
>>> [39/40]: tuning directory server
>>> [40/40]: configuring directory to start on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring Kerberos KDC (krb5kdc)
>>> [1/5]: configuring KDC
>>> [2/5]: adding the password extension to the directory
>>> [3/5]: creating anonymous principal
>>> [4/5]: starting the KDC
>>> [5/5]: configuring KDC to start on boot
>>> Done configuring Kerberos KDC (krb5kdc).
>>> Configuring kadmin
>>> [1/2]: starting kadmin
>>> [2/2]: configuring kadmin to start on boot
>>> Done configuring kadmin.
>>> Configuring directory server (dirsrv)
>>> [1/3]: configuring TLS for DS instance
>>> [2/3]: importing CA certificates from LDAP
>>> [3/3]: restarting directory server
>>> Done configuring directory server (dirsrv).
>>> Configuring the web interface (httpd)
>>> [1/22]: stopping httpd
>>> [2/22]: setting mod_nss port to 443
>>> [3/22]: setting mod_nss cipher suite
>>> [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>>> [5/22]: setting mod_nss password file
>>> [6/22]: enabling mod_nss renegotiate
>>> [7/22]: disabling mod_nss OCSP
>>> [8/22]: adding URL rewriting rules
>>> [9/22]: configuring httpd
>>> [10/22]: setting up httpd keytab
>>> [11/22]: configuring Gssproxy
>>> [12/22]: setting up ssl
>>> [13/22]: configure certmonger for renewals
>>> [14/22]: importing CA certificates from LDAP
>>> [15/22]: publish CA cert
>>> [16/22]: clean up any existing httpd ccaches
>>> [17/22]: configuring SELinux for httpd
>>> [18/22]: create KDC proxy config
>>> [19/22]: enable KDC proxy
>>> [20/22]: starting httpd
>>> [21/22]: configuring httpd to start on boot
>>> [22/22]: enabling oddjobd
>>> Done configuring the web interface (httpd).
>>> Configuring ipa-otpd
>>> [1/2]: starting ipa-otpd
>>> [2/2]: configuring ipa-otpd to start on boot
>>> Done configuring ipa-otpd.
>>> Configuring ipa-custodia
>>> [1/4]: Generating ipa-custodia config file
>>> [2/4]: Generating ipa-custodia keys
>>> [3/4]: starting ipa-custodia
>>> [4/4]: configuring ipa-custodia to start on boot
>>> Done configuring ipa-custodia.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>>> ERROR Timed out trying to obtain keys.
>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>>> ERROR The ipa-replica-install command failed. See
>>> /var/log/ipareplica-install.log for more information
>>>
>>> and the ipareplica-install.log shows:
>>>
>>> 2018-02-28T11:52:23Z INFO Waiting up to 300 seconds to see our keys
>>> appear on host: ipac1
>>> 2018-02-28T11:54:30Z DEBUG Transient error getting keys:
'{'desc':
>>> "Can't contact LDAP server"}'
>>>
>>> 2018-02-28T11:58:47Z DEBUG The ipa-replica-install command failed,
>>> exception: RuntimeError: Timed out trying to obtain keys.
>>> 2018-02-28T11:58:47Z ERROR Timed out trying to obtain keys.
>>> 2018-02-28T11:58:47Z ERROR The ipa-replica-install command failed. See
>>> /var/log/ipareplica-install.log for more information
>>>
>>>
>>> and yet:
>>>
>>> # ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> AND if I add a user on the far end server - ipac1 - it shows up
>>> immediately on ipap1.
>>>
>>> But, if I try to restart IPAP1 -
>>>
>>> # ipactl restart
>>> Upgrade required: please run ipa-server-upgrade command
>>> Aborting ipactl
>>>
>>> [root@ipap1 ~]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> So I know something is wrong and I can't leave it this way, but I just
>>> don't see what is going on here - can SOMEONE point me in the right
>>> direction, please? I don't understand why it won't just rely on IPAP
>>> which is the server it is connected to.
>> Getting the keys is a completely separate operation from setting up the
>> replication agreement for user data. That is why changing values works.
>>
>> What I think is happening is it is just picking one of the available
>> hosts advertising itself as a CA and it just happens to be picking that
>> one. This is done in an LDAP search in ipaserver/plugins/dogtag.py::ca_host.
>>
>> It's a matter of context. This function is used in multiple places to
>> decide which CA to use, preferring itself. You could run into this
>> randomly post-install anyway anytime a CA was needed, for example you
>> did a cert-find on this master, it would need to pick a CA to forward
>> the request to.
>>
>> I don't think we anticipated anyone walling off one master from another.
>> You can file a bug on this
>>
>> rob