On 18/01/2022 13:36, lejeczek via FreeIPA-users wrote:
Hi guys,
That's new, well, I've never seen it. I got on a replica
candidate so I thought I'd make a first new master and yet:
-> $ ipa-server-install --setup-dns --setup-kra
--no-forwarders --idstart=57400000 --admin-password=diradm
--ds-password=dirsrv --enable-compat --setup-adtrust
...
[6/9]: configure certificate renewals
[error] DBusException:
org.fedorahosted.certmonger.duplicate: Certificate at same
location is already used by request with nickname
"20210709164208".
org.fedorahosted.certmonger.duplicate: Certificate at same
location is already used by request with nickname
"20210709164208".
The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
in log file:
...
2022-01-18T13:30:02Z DEBUG [6/9]: configure certificate
renewals
2022-01-18T13:30:02Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2022-01-18T13:30:03Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 635, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 621, in run_step
method()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
line 486, in configur
e_renewal
profile=self.tracking_reqs[nickname],
File
"/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py",
line 576, in start_tracking
result = cm.obj_if.add_request(params)
File
"/usr/lib64/python3.6/site-packages/dbus/proxies.py", line
145, in __call__
**keywords)
File
"/usr/lib64/python3.6/site-packages/dbus/connection.py",
line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException:
org.fedorahosted.certmonger.duplicate: Certificate at same
location i
s already used by request with nickname "20210709164208".
2022-01-18T13:30:03Z DEBUG [error] DBusException:
org.fedorahosted.certmonger.duplicate: Certifica
te at same location is already used by request with
nickname "20210709164208".
2022-01-18T13:30:03Z DEBUG Removing /var/lib/ipa/tmp-brry92se
2022-01-18T13:30:03Z DEBUG Removing
/root/.dogtag/pki-tomcat/kra
2022-01-18T13:30:03Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py",
line 18
0, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipapython/install/cli.py",
line 342, in run
return cfgr.run()
File
"/usr/lib/python3.6/site-packages/ipapython/install/core.py",
line 360, in run
return self.execute()
File
"/usr/lib/python3.6/site-packages/ipapython/install/core.py",
line 386, in execute
for rval in self._executor():
File
"/usr/lib/python3.6/site-packages/ipapython/install/core.py",
line 431, in __runner
exc_handler(exc_info)
File
"/usr/lib/python3.6/site-packages/ipapython/install/core.py",
line 460, in _handle_execute_ex
ception
How could this be, with first master??
many thanks, L.
_______________________________________________
I've missed the following first time on that failing box:
-> $ ipa-server-install --uninstall
...
If this server is the last instance of CA,
KRA, or DNSSEC master, uninstallation may result in data loss.
Are you sure you want to continue with the uninstall
procedure? [no]: yes
Failed to get request: Criteria expected to be met by 1
request, got 2.
certmonger failed to stop tracking certificate: Criteria
expected to be met by 1 request, got 2.
Failed to get request: Criteria expected to be met by 1
request, got 2.
certmonger failed to stop tracking certificate: Criteria
expected to be met by 1 request, got 2.
Failed to get request: Criteria expected to be met by 1
request, got 2.
certmonger failed to stop tracking certificate: Criteria
expected to be met by 1 request, got 2.
Shutting down all IPA services
Failed to remove DS instance. No serverid present in
sysrestore file.
Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being
tracked
# getcert list
These may be untracked by executing
# getcert stop-tracking -i <request_id>
for each id in: 20210709164208, 20210709164209,
20210709164210, 20220116175552, 20220116175553, 20220116175554
Removing IPA client configuration
The ipa-client-install command was successful
The ipa-server-install command was successful
What that be symptom of and why would '--uninstall' not take
care of such case? (where never any CA management took place
outside of IPA)
many thanks, L.