Hello.
I can't add a replica to exist master server. FreeIPA version is 4.9.2 on CentOS 8 in docker
From replica side it looks like this:
freeipa-replica_1 | Configuring directory server (dirsrv) freeipa-replica_1 | [1/3]: configuring TLS for DS instance freeipa-replica_1 | [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://ipa1.srv.DOMAIN.com/ipa/json failed request, will retry: 907 (cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied).) freeipa-replica_1 | Your system may be partly configured. freeipa-replica_1 | Run /usr/sbin/ipa-server-install --uninstall to clean up. freeipa-replica_1 | freeipa-replica_1 | FreeIPA server configuration failed.
Also, I notice the same error when running command ipa cert-show on master: ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/certs/1': [Errno 13] Permission denied
And third place is in web interface Authentication --> Certificate Authorities
There are logs from /var/log/httpd/error_log with debug enbled in /etc/ipa/server.conf
[Wed Oct 20 19:50:40.730514 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: cert_request('MIIDxzCCAq8CAQAwNzEXMBUGA1UEChMOU1JWLkFTU0FJQS5DT00xHDAaBgNVBAMTE2lwYTIuc3J2LmFzc2FpYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD2N8SZVlYlsgslL/CL/951CA1YgLdmhBmV2H0TNfwx9CZJKit1B6dl4HddAz1xWaYhsVTQ1PK0Ph6Hjz1+ura/Hou4XFBUHkAMolxMzmxsGOzkZrlFr5gCH5xWeEn2Rm6RVXy16GS5o3Gxy8zSK4MtlwblVrAstRXaJHZkY9eNwQ1+67OJIB3uDw4XhXGD60aLbcL/tZ5ZLW/lotZeRLHYI4VM1dMhGfsTduYEYFn2QH1cU36UX1EJgCggMWCz9KQX9OZVyA7yBsW0X/5Tfrb6s7LEwgRCYW8FqPWQ0+t4vtVXcWG0BH6bESX1JzwZD9EMd+gQJxXlEUrGO4IP9NTDAgMBAAGgggFJMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBHgYJKoZIhvcNAQkOMYIBDzCCAQswgaQGA1UdEQEBAASBmTCBloITaXBhMi5zcnYuYXNzYWlhLmNvbaA3BgorBgGEAVI3FAIDoCkMJ2xkYXAvaXBhMi5zcnYuYXNzYWlhLmNvbUBTUlYuQVNTQUlBLkNPTaBGBgYrBgEFAgKgPDA6oBAbDlNSVi5BU1NBSUEuQ09NoSYwJKADAgEBoR0wGxsEbGRhcBsTaXBhMi5zcnYuYXNzYWlhLmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQmDzatkec4N+/l6ECCUA5k35sbkD AyBgkrBgEEAYI3FAIBAQAEIh4gAGMAYQBJAFAAQQBzAGUAcgB2AGkAYwBlAEMAZQByAHQwDQYJKoZIhvcNAQELBQADggEBAIDSuXsB+ZfJBG4eKVSAD1d3fxZErNFnmtqLBYguCBiv+eGANTcfJBoqXpfM8ZK4IvyInF7jiMELZNnwRvSZNrTPfhWGlb8i2fWVU872QTD5qbQ6D/lmD0xbR4PQ6VTSCsskCndrgaK6kFNPtXEPw8Y1RlMVEXUq9BF7H3Zc4aUWp1AbQFXJaZb/F0sRDyKgN4imxnA+odi/hfk7IeLLQG+fqzpooeLDMjV1aAQF9nWfe8Uy0ofbIzDN4FGMH/xvHjId93qC9RLlSzom/VE264FrL2kPZNrShhsfUJnEfj+DV3AYurStJRnpvadU33jwenYmSkmgNCPL/RCa1MzjpQQ=', profile_id='caIPAserviceCert', principal='ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM', add=True, version='2.240') [Wed Oct 20 19:50:40.731430 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f23fdcbb278>, request_type='pkcs10', profile_id='caIPAserviceCert', cacn='ipa', principal=ipapython.kerberos.Principal('ldap/ipa2.srv.DOMAIN.com@SRV.DOMAIN.COM'), add=True, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.731670 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.731745 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.736607 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False, version='2.240') [Wed Oct 20 19:50:40.736869 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_show('ipa', rights=False, chain=False, all=False, raw=False, version='2.240') [Wed Oct 20 19:50:40.737119 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: raw: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.737256 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: ca_is_enabled(version='2.240') [Wed Oct 20 19:50:40.743096 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request GET https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login [Wed Oct 20 19:50:40.743235 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: request body '' [Wed Oct 20 19:50:40.745172 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: httplib request failed: [Wed Oct 20 19:50:40.745202 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.745208 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.745213 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.745218 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.745223 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.745228 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.745233 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.745239 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.745247 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747246 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Oct 20 19:50:40.747275 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 261, in _httplib_request [Wed Oct 20 19:50:40.747282 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] conn = connection_factory(host, port, **connection_options) [Wed Oct 20 19:50:40.747287 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 203, in connection_factory [Wed Oct 20 19:50:40.747292 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] tls_version_max=api.env.tls_version_max) [Wed Oct 20 19:50:40.747296 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/util.py", line 385, in create_https_connection [Wed Oct 20 19:50:40.747301 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ctx.load_cert_chain(client_certfile, client_keyfile, passwd) [Wed Oct 20 19:50:40.747306 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] PermissionError: [Errno 13] Permission denied [Wed Oct 20 19:50:40.747311 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747316 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] During handling of the above exception, another exception occurred: [Wed Oct 20 19:50:40.747325 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] [Wed Oct 20 19:50:40.747329 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] Traceback (most recent call last): [Wed Oct 20 19:50:40.747334 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 397, in wsgi_execute [Wed Oct 20 19:50:40.747339 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] result = command(*args, **options) [Wed Oct 20 19:50:40.747343 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747348 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747353 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747358 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747363 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747368 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747373 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Wed Oct 20 19:50:40.747377 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Wed Oct 20 19:50:40.747383 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 20 19:50:40.747394 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.__do_call(*args, **options) [Wed Oct 20 19:50:40.747399 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 20 19:50:40.747403 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ret = self.run(*args, **options) [Wed Oct 20 19:50:40.747408 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run [Wed Oct 20 19:50:40.747413 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] return self.execute(*args, **options) [Wed Oct 20 19:50:40.747418 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in execute [Wed Oct 20 19:50:40.747423 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] msg = set_certificate_attrs(result['result'], options) [Wed Oct 20 19:50:40.747428 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Oct 20 19:50:40.747434 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] with api.Backend.ra_lightweight_ca as ca_api: [Wed Oct 20 19:50:40.747439 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ [Wed Oct 20 19:50:40.747445 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method='GET' [Wed Oct 20 19:50:40.747450 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request [Wed Oct 20 19:50:40.747455 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] method=method, headers=headers) [Wed Oct 20 19:50:40.747460 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] File "/usr/local/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request [Wed Oct 20 19:50:40.747465 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] raise NetworkError(uri=uri, error=str(e)) [Wed Oct 20 19:50:40.747470 2021] [wsgi:error] [pid 1204307:tid 139792541603584] [remote 10.231.20.22:36130] ipalib.errors.NetworkError: cannot connect to 'https://ipa1.srv.DOMAIN.com:443/ca/rest/account/login': [Errno 13] Permission denied
Please help, I spent two days on it already.
freeipa-users@lists.fedorahosted.org
-
Евгений Жиряков