Hello,
I am on CentOS 7.3.1611 running FreeIPA Version 4.4.0
I have the master installed and running:
:; sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I am trying to deploy a replica, it makes it through most of the tasks, then bombs out at
the end. The system is listed in freeipa as an ipaserver/relica. But the process itself
never starts on the replica.
The deploy fails with the following errors
2017-09-07T19:31:04Z DEBUG stderr=
2017-09-07T19:31:04Z DEBUG Destroyed connection context.ldap2_106994896
2017-09-07T19:31:04Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-09-07T19:31:04Z DEBUG Configuring ipa-custodia
2017-09-07T19:31:04Z DEBUG [1/5]: Generating ipa-custodia config file
2017-09-07T19:31:04Z DEBUG duration: 0 seconds
2017-09-07T19:31:04Z DEBUG [2/5]: Generating ipa-custodia keys
2017-09-07T19:31:04Z DEBUG duration: 0 seconds
2017-09-07T19:31:04Z DEBUG [3/5]: Importing RA Key
2017-09-07T19:31:04Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99,
in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in
raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z DEBUG [error] HTTPError: 404 Client Error: Not Found
2017-09-07T19:31:04Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in
run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310,
in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332,
in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586,
in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372,
in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362,
in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1722, in main
promote(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 372, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1478, in promote
custodia.create_replica(config.master_host_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 95, in create_replica
realm=self.realm)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
581, in create_instance
self.start_creation("Configuring %s" % self.service_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
449, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
439, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 99,
in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in
raise_for_status
raise HTTPError(http_error_msg, response=self)
2017-09-07T19:31:04Z DEBUG The ipa-replica-install command failed, exception: HTTPError:
404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR 404 Client Error: Not Found
2017-09-07T19:31:04Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
I "kinit admin" and try to run "curl --negotiate -u:
https://`hostname`/ipa/keys/ -vv" I get the initial 401, followed by a 403.
< HTTP/1.1 403 Forbidden
< Date: Fri, 08 Sep 2017 17:55:18 GMT
< Server: Custodia/0.1
< WWW-Authenticate: Negotiate <key_blob>
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
<
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 403.
<p>Message: Forbidden.
<p>Error code explanation: 403 = Request forbidden -- authorization will not help.
</body>
* Closing connection 0
The httpd gateway seems to work correctly but something is broken in the ipa-custodia
response.
I appreciate any thoughts/help!