Hello.
I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker
From replica side it looks like this:
freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed.
Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied
And third place is in web interface Authentication --> Certificate Authorities
There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf
[Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied
Please help, I spent two days on it already.
Евгений Жиряков via FreeIPA-users wrote:
Hello.
I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker
From replica side it looks like this:
freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed.
Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied
There is a permission or SELinux problem with your RA agent certificates. They should be:
-r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1704 Jan 19 2021 /var/lib/ipa/ra-agent.key -r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1411 Jan 19 2021 /var/lib/ipa/ra-agent.pem
rob
And third place is in web interface Authentication --> Certificate Authorities
There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf
[Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied
Please help, I spent two days on it already. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Is it matter that the SELinux is disabled?
# sestatus SELinux status: disabled
Permissions I changed before. I changed the group to ipaapi without luck.
# ls -la /var/lib/ipa total 20 drw-r--r--. 11 root root 202 Oct 20 19:15 . drwxr-xr-x. 51 root root 4096 Oct 15 14:02 .. drwxr-xr-x 2 root root 31 Oct 20 11:11 auth_backup drwx------. 5 root root 114 Oct 20 11:12 backup -rw-------. 1 root root 1545 Oct 20 17:27 ca.csr drwxr-xr-x. 2 root root 47 Oct 15 15:03 certs drwx------. 2 root root 25 Jun 29 17:47 gssproxy drwx------. 2 root root 41 Jun 29 17:47 passwds drwxr-xr-x. 3 root root 21 Jun 29 17:47 pki-ca drwx------. 2 root root 47 Oct 15 15:02 private -r--r-----. 1 root ipaapi 1708 Oct 21 2020 ra-agent.key -r--r-----. 1 root ipaapi 1419 Oct 21 2020 ra-agent.pem drwx--x--x. 2 root root 4096 Jun 29 17:47 sysrestore drwx------. 2 root root 30 Jun 29 17:47 sysupgrade
Евгений Жиряков via FreeIPA-users wrote:
Is it matter that the SELinux is disabled?
# sestatus SELinux status: disabled
Permissions I changed before. I changed the group to ipaapi without luck.
# ls -la /var/lib/ipa total 20 drw-r--r--. 11 root root 202 Oct 20 19:15 . drwxr-xr-x. 51 root root 4096 Oct 15 14:02 .. drwxr-xr-x 2 root root 31 Oct 20 11:11 auth_backup drwx------. 5 root root 114 Oct 20 11:12 backup -rw-------. 1 root root 1545 Oct 20 17:27 ca.csr drwxr-xr-x. 2 root root 47 Oct 15 15:03 certs drwx------. 2 root root 25 Jun 29 17:47 gssproxy drwx------. 2 root root 41 Jun 29 17:47 passwds drwxr-xr-x. 3 root root 21 Jun 29 17:47 pki-ca drwx------. 2 root root 47 Oct 15 15:02 private -r--r-----. 1 root ipaapi 1708 Oct 21 2020 ra-agent.key -r--r-----. 1 root ipaapi 1419 Oct 21 2020 ra-agent.pem drwx--x--x. 2 root root 4096 Jun 29 17:47 sysrestore drwx------. 2 root root 30 Jun 29 17:47 sysupgrade
I'd check the permissions on /var and /lib too. You're seeing an EACCES error which is basic permissions. Apache can't read the certificate because the OS won't let it.
It's fine, though not recommended, if you have SELinux disabled.
rob
on ipa1 SELinux is disabled. on ipa2 SELinux is enabled on the host, not in Docker where FreeIPA.
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Евгений Жиряков