Yes this was a problem. Schema replciation was failing because version
of the entryuuid pugin added a new syntax plugin, which can not be
replicated. So it broke replication and would lead to errors like this.
The minimum version of 389-ds-base-2.x you need is:
389-ds-base-2.0.8
This version will work with older versions of DS.
HTH,
Mark
On 9/9/21 10:00 AM, François Cami wrote:
Hi,
I think this is related to the DS versions being different in f33 and f34.
f33 has 389-ds-base-1.4 and f34 has 2.0.x.
It sounds like:
https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using?
Thank you,
François
On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
> Hello Community!
>
> I am trying to add a new Fedora 34 server as secondary master. The idm01 is still
Fedora 33 but versions are the same as I can see.
>
> The issue I am hitting is by installing the replication (Client works fine).
>
> Configuring the web interface (httpd)
> [1/21]: stopping httpd
> [2/21]: backing up ssl.conf
> [3/21]: disabling nss.conf
> [4/21]: configuring mod_ssl certificate paths
> [5/21]: setting mod_ssl protocol list
> [6/21]: configuring mod_ssl log directory
> [7/21]: disabling mod_ssl OCSP
> [8/21]: adding URL rewriting rules
> [9/21]: configuring httpd
> [10/21]: setting up httpd keytab
> [11/21]: configuring Gssproxy
> [12/21]: setting up ssl
> [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
>
>
> Log files:
> 2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa.conf' doesn't exist
> 2021-09-08T11:33:07Z DEBUG Backing up system configuration file
'/etc/httpd/conf.d/ipa-rewrite.conf'
> 2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
> 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
> 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
> 2021-09-08T11:33:07Z DEBUG raw:
service_add('HTTP/idm02.example.com(a)example.com', force=True,
version='2.242')
> 2021-09-08T11:33:07Z DEBUG
service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com(a)example.com'),
force=True, skip_host_check=False, all=False, raw=False, version='2.242',
no_members=False)
> 2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from
SchemaCache
> 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fb640f00160>
> 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com',
version='2.242')
> 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False,
all=False, raw=False, version='2.242', no_members=False)
> 2021-09-08T11:33:08Z DEBUG Backing up system configuration file
'/var/lib/ipa/gssproxy/http.keytab'
> 2021-09-08T11:33:08Z DEBUG -> Not backing up -
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
> 2021-09-08T11:33:08Z DEBUG Starting external process
> 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k',
'/var/lib/ipa/gssproxy/http.keytab', '-p',
'HTTP/idm02.example.com(a)example.com', '-H',
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
> 2021-09-08T11:33:08Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:08Z DEBUG stdout=
> 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in:
/var/lib/ipa/gssproxy/http.keytab
>
> 2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication
(ldap://idm01.example.com:389)
krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
(objectclass=*)
> 2021-09-08T11:33:09Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
{'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName':
[b'HTTP/idm02.example.com(a)example.com'], 'objectClass':
[b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux',
b'ipaobject', b'ipaservice', b'pkiuser',
b'ipakrbprincipal', b'top'], 'managedBy':
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'],
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com(a)example.com'],
'krbPrincipalName': [b'HTTP/idm02.example.com(a)example.com'],
'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
> 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
> 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon',
'/etc/gssproxy/10-ipa.conf']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart',
'gssproxy.service']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active',
'gssproxy.service']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=active
>
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
> 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
> 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
> 2021-09-08T11:33:09Z DEBUG certmonger request is in state
'GENERATING_KEY_PAIR'
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
> 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server
at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
> 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
> 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server
at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
> 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
> RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 635, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 621, in run_step
> method()
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
> RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
>
> 2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry:
4205 (attribute "entryuuid" not allowed).)
> 2021-09-08T11:33:11Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
> return_value = self.run()
> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
342, in run
> return cfgr.run()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
360, in run
> return self.execute()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
386, in execute
> for rval in self._executor():
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
421, in __runner
> step()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
655, in _configure
> next(executor)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
518, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
515, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
421, in __runner
> step()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.9/site-packages/ipapython/install/common.py",
line 65, in _install
> for unused in self._installer(self.parent):
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line
608, in main
> replica_install(self)
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
> func(installer)
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1301, in install
> install_http(
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 163, in install_http
> http.create_instance(
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151,
in create_instance
> self.start_creation()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 635, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 621, in run_step
> method()
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
>
> 2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
>
> Made on a completely fresh deployed VM.
>
>
> Yours,
> Mathias
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure