Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora 33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Log files: 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf' 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab 2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com@example.com', force=True, version='2.242') 2021-09-08T11:33:07Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com@example.com'), force=True, skip_host_check=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from SchemaCache 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160> 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242') 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:08Z DEBUG Backing up system configuration file '/var/lib/ipa/gssproxy/http.keytab' 2021-09-08T11:33:08Z DEBUG -> Not backing up - '/var/lib/ipa/gssproxy/http.keytab' doesn't exist 2021-09-08T11:33:08Z DEBUG Starting external process 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', '/var/lib/ipa/gssproxy/http.keytab', '-p', 'HTTP/idm02.example.com@example.com', '-H', 'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL'] 2021-09-08T11:33:08Z DEBUG Process finished, return code=0 2021-09-08T11:33:08Z DEBUG stdout= 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication (ldap://idm01.example.com:389) krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at (objectclass=*) 2021-09-08T11:33:09Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'), {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': [b'HTTP/idm02.example.com@example.com'], 'objectClass': [b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': [b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], 'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com@example.com'], 'krbPrincipalName': [b'HTTP/idm02.example.com@example.com'], 'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})] 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl 2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING' 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 608, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1301, in install install_http( File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http http.create_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance self.start_creation() File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours, Mathias
Hi,
I think this is related to the DS versions being different in f33 and f34. f33 has 389-ds-base-1.4 and f34 has 2.0.x. It sounds like: https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using?
Thank you, François
On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora 33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Log files: 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf' 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab 2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com@example.com', force=True, version='2.242') 2021-09-08T11:33:07Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com@example.com'), force=True, skip_host_check=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from SchemaCache 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160> 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242') 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:08Z DEBUG Backing up system configuration file '/var/lib/ipa/gssproxy/http.keytab' 2021-09-08T11:33:08Z DEBUG -> Not backing up - '/var/lib/ipa/gssproxy/http.keytab' doesn't exist 2021-09-08T11:33:08Z DEBUG Starting external process 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', '/var/lib/ipa/gssproxy/http.keytab', '-p', 'HTTP/idm02.example.com@example.com', '-H', 'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL'] 2021-09-08T11:33:08Z DEBUG Process finished, return code=0 2021-09-08T11:33:08Z DEBUG stdout= 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication (ldap://idm01.example.com:389) krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at (objectclass=*) 2021-09-08T11:33:09Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'), {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': [b'HTTP/idm02.example.com@example.com'], 'objectClass': [b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': [b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], 'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com@example.com'], 'krbPrincipalName': [b'HTTP/idm02.example.com@example.com'], 'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})] 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl 2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING' 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 608, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1301, in install install_http( File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http http.create_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance self.start_creation() File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours, Mathias _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Yes this was a problem. Schema replciation was failing because version of the entryuuid pugin added a new syntax plugin, which can not be replicated. So it broke replication and would lead to errors like this.
The minimum version of 389-ds-base-2.x you need is:
389-ds-base-2.0.8
This version will work with older versions of DS.
HTH,
Mark
On 9/9/21 10:00 AM, François Cami wrote:
Hi,
I think this is related to the DS versions being different in f33 and f34. f33 has 389-ds-base-1.4 and f34 has 2.0.x. It sounds like: https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using?
Thank you, François
On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora 33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Log files: 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf' 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab 2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com@example.com', force=True, version='2.242') 2021-09-08T11:33:07Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com@example.com'), force=True, skip_host_check=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from SchemaCache 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160> 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242') 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, all=False, raw=False, version='2.242', no_members=False) 2021-09-08T11:33:08Z DEBUG Backing up system configuration file '/var/lib/ipa/gssproxy/http.keytab' 2021-09-08T11:33:08Z DEBUG -> Not backing up - '/var/lib/ipa/gssproxy/http.keytab' doesn't exist 2021-09-08T11:33:08Z DEBUG Starting external process 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', '/var/lib/ipa/gssproxy/http.keytab', '-p', 'HTTP/idm02.example.com@example.com', '-H', 'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL'] 2021-09-08T11:33:08Z DEBUG Process finished, return code=0 2021-09-08T11:33:08Z DEBUG stdout= 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication (ldap://idm01.example.com:389) krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at (objectclass=*) 2021-09-08T11:33:09Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'), {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': [b'HTTP/idm02.example.com@example.com'], 'objectClass': [b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': [b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], 'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com@example.com'], 'krbPrincipalName': [b'HTTP/idm02.example.com@example.com'], 'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})] 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout= 2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Starting external process 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr= 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl 2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR' 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING' 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError( RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise raise value File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 608, in main replica_install(self) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1301, in install install_http( File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http http.create_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance self.start_creation() File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl certmonger.request_and_wait_for_cert(**args) File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).) 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours, Mathias _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hello!
thanks for the info. I updated my servers yesterday, so they are all on Fedora 34 and it works perfectly now.
The solution was really just updating the systems from Fedora 33 to 34, all without issues.
Thank you for the help!
Yours, Mathias
freeipa-users@lists.fedorahosted.org
-
François Cami -
Mark Reynolds -
Mathias Rumbold