6:41 a.m.
Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora
33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json
failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
Log files:
2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf'
doesn't exist
2021-09-08T11:33:07Z DEBUG Backing up system configuration file
'/etc/httpd/conf.d/ipa-rewrite.conf'
2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com(a)example.com',
force=True, version='2.242')
2021-09-08T11:33:07Z DEBUG
service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com(a)example.com'),
force=True, skip_host_check=False, all=False, raw=False, version='2.242',
no_members=False)
2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from
SchemaCache
2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fb640f00160>
2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com',
version='2.242')
2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, all=False,
raw=False, version='2.242', no_members=False)
2021-09-08T11:33:08Z DEBUG Backing up system configuration file
'/var/lib/ipa/gssproxy/http.keytab'
2021-09-08T11:33:08Z DEBUG -> Not backing up -
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-09-08T11:33:08Z DEBUG Starting external process
2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k',
'/var/lib/ipa/gssproxy/http.keytab', '-p',
'HTTP/idm02.example.com(a)example.com', '-H',
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
2021-09-08T11:33:08Z DEBUG Process finished, return code=0
2021-09-08T11:33:08Z DEBUG stdout=
2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in:
/var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication
(ldap://idm01.example.com:389)
krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
(objectclass=*)
2021-09-08T11:33:09Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
{'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName':
[b'HTTP/idm02.example.com(a)example.com'], 'objectClass':
[b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux',
b'ipaobject', b'ipaservice', b'pkiuser',
b'ipakrbprincipal', b'top'], 'managedBy':
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'],
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com(a)example.com'],
'krbPrincipalName': [b'HTTP/idm02.example.com(a)example.com'],
'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon',
'/etc/gssproxy/10-ipa.conf']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 398, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry:
4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, in
run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
line 608, in main
replica_install(self)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1301, in install
install_http(
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 163, in install_http
http.create_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 151, in create_instance
self.start_creation()
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours,
Mathias
9 a.m.
Hi,
I think this is related to the DS versions being different in f33 and f34.
f33 has 389-ds-base-1.4 and f34 has 2.0.x.
It sounds like:
https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using?
Thank you,
François
On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora
33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json
failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
Log files:
2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf'
doesn't exist
2021-09-08T11:33:07Z DEBUG Backing up system configuration file
'/etc/httpd/conf.d/ipa-rewrite.conf'
2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com(a)example.com',
force=True, version='2.242')
2021-09-08T11:33:07Z DEBUG
service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com(a)example.com'),
force=True, skip_host_check=False, all=False, raw=False, version='2.242',
no_members=False)
2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from
SchemaCache
2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fb640f00160>
2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com',
version='2.242')
2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False,
all=False, raw=False, version='2.242', no_members=False)
2021-09-08T11:33:08Z DEBUG Backing up system configuration file
'/var/lib/ipa/gssproxy/http.keytab'
2021-09-08T11:33:08Z DEBUG -> Not backing up -
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-09-08T11:33:08Z DEBUG Starting external process
2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k',
'/var/lib/ipa/gssproxy/http.keytab', '-p',
'HTTP/idm02.example.com(a)example.com', '-H',
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
2021-09-08T11:33:08Z DEBUG Process finished, return code=0
2021-09-08T11:33:08Z DEBUG stdout=
2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in:
/var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication
(ldap://idm01.example.com:389)
krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
(objectclass=*)
2021-09-08T11:33:09Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
{'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName':
[b'HTTP/idm02.example.com(a)example.com'], 'objectClass':
[b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux',
b'ipaobject', b'ipaservice', b'pkiuser',
b'ipakrbprincipal', b'top'], 'managedBy':
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'],
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com(a)example.com'],
'krbPrincipalName': [b'HTTP/idm02.example.com(a)example.com'],
'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon',
'/etc/gssproxy/10-ipa.conf']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 398, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry:
4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342,
in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py",
line 608, in main
replica_install(self)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1301, in install
install_http(
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 163, in install_http
http.create_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 151, in create_instance
self.start_creation()
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours,
Mathias
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
9:15 a.m.
Yes this was a problem. Schema replciation was failing because version
of the entryuuid pugin added a new syntax plugin, which can not be
replicated. So it broke replication and would lead to errors like this.
The minimum version of 389-ds-base-2.x you need is:
389-ds-base-2.0.8
This version will work with older versions of DS.
HTH,
Mark
On 9/9/21 10:00 AM, François Cami wrote:
Hi,
I think this is related to the DS versions being different in f33 and f34.
f33 has 389-ds-base-1.4 and f34 has 2.0.x.
It sounds like:
https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using?
Thank you,
François
On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
> Hello Community!
>
> I am trying to add a new Fedora 34 server as secondary master. The idm01 is still
Fedora 33 but versions are the same as I can see.
>
> The issue I am hitting is by installing the replication (Client works fine).
>
> Configuring the web interface (httpd)
> [1/21]: stopping httpd
> [2/21]: backing up ssl.conf
> [3/21]: disabling nss.conf
> [4/21]: configuring mod_ssl certificate paths
> [5/21]: setting mod_ssl protocol list
> [6/21]: configuring mod_ssl log directory
> [7/21]: disabling mod_ssl OCSP
> [8/21]: adding URL rewriting rules
> [9/21]: configuring httpd
> [10/21]: setting up httpd keytab
> [11/21]: configuring Gssproxy
> [12/21]: setting up ssl
> [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
>
>
> Log files:
> 2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa.conf' doesn't exist
> 2021-09-08T11:33:07Z DEBUG Backing up system configuration file
'/etc/httpd/conf.d/ipa-rewrite.conf'
> 2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
> 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
> 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
> 2021-09-08T11:33:07Z DEBUG raw:
service_add('HTTP/idm02.example.com(a)example.com', force=True,
version='2.242')
> 2021-09-08T11:33:07Z DEBUG
service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com(a)example.com'),
force=True, skip_host_check=False, all=False, raw=False, version='2.242',
no_members=False)
> 2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from
SchemaCache
> 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fb640f00160>
> 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com',
version='2.242')
> 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False,
all=False, raw=False, version='2.242', no_members=False)
> 2021-09-08T11:33:08Z DEBUG Backing up system configuration file
'/var/lib/ipa/gssproxy/http.keytab'
> 2021-09-08T11:33:08Z DEBUG -> Not backing up -
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
> 2021-09-08T11:33:08Z DEBUG Starting external process
> 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k',
'/var/lib/ipa/gssproxy/http.keytab', '-p',
'HTTP/idm02.example.com(a)example.com', '-H',
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
> 2021-09-08T11:33:08Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:08Z DEBUG stdout=
> 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in:
/var/lib/ipa/gssproxy/http.keytab
>
> 2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication
(ldap://idm01.example.com:389)
krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
(objectclass=*)
> 2021-09-08T11:33:09Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
{'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName':
[b'HTTP/idm02.example.com(a)example.com'], 'objectClass':
[b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux',
b'ipaobject', b'ipaservice', b'pkiuser',
b'ipakrbprincipal', b'top'], 'managedBy':
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'],
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com(a)example.com'],
'krbPrincipalName': [b'HTTP/idm02.example.com(a)example.com'],
'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
> 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
> 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon',
'/etc/gssproxy/10-ipa.conf']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart',
'gssproxy.service']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Starting external process
> 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active',
'gssproxy.service']
> 2021-09-08T11:33:09Z DEBUG Process finished, return code=0
> 2021-09-08T11:33:09Z DEBUG stdout=active
>
> 2021-09-08T11:33:09Z DEBUG stderr=
> 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
> 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
> 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
> 2021-09-08T11:33:09Z DEBUG certmonger request is in state
'GENERATING_KEY_PAIR'
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
> 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server
at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
> 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
> 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
> 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server
at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
> 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
> RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 635, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 621, in run_step
> method()
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
> RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
>
> 2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry:
4205 (attribute "entryuuid" not allowed).)
> 2021-09-08T11:33:11Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
> return_value = self.run()
> File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line
342, in run
> return cfgr.run()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
360, in run
> return self.execute()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
386, in execute
> for rval in self._executor():
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
421, in __runner
> step()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
655, in _configure
> next(executor)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
518, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
515, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
421, in __runner
> step()
> File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line
418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
> raise value
> File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.9/site-packages/ipapython/install/common.py",
line 65, in _install
> for unused in self._installer(self.parent):
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line
608, in main
> replica_install(self)
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
> func(installer)
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1301, in install
> install_http(
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 163, in install_http
> http.create_instance(
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151,
in create_instance
> self.start_creation()
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 635, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
line 621, in run_step
> method()
> File
"/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402,
in __setup_ssl
> certmonger.request_and_wait_for_cert(**args)
> File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py",
line 414, in request_and_wait_for_cert
> raise RuntimeError(
>
> 2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
> 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
>
> Made on a completely fresh deployed VM.
>
>
> Yours,
> Mathias
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
1:22 p.m.
Hello!
thanks for the info. I updated my servers yesterday, so they are all on Fedora 34 and it
works perfectly now.
The solution was really just updating the systems from Fedora 33 to 34, all without
issues.
Thank you for the help!
Yours,
Mathias
958
days inactive
959
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
François Cami -
Mark Reynolds -
Mathias Rumbold