[Freeipa-users] FreeIPA ipa-ca-install problem at the second replica

Jan Gardian via FreeIPA-users Thu, 05 Apr 2018 08:00:48 -0700

Hello,

We have freeipa installed in our environment with two master replicaservers but only one have CA installed.I tried to install CA also at the second server but got error duringcommunication with first replica "HTTPError: 502 Server Error: Proxy Error".

Server's OS: "Ubuntu 16.04.3 LTS (Xenial Xerus)"
ipa version: 4.3.1, API_VERSION: 2.164

Collected logs from ipa-ca-install and other logs are in attached file"ipa_ca_install_logs"


If you will require more logs please write.

Thank you for checking and any provided advice.

With kind regards,
--


*Ján Gardian*
Security Software Specialist

*CYAN Research & Development s.r.o.*
Palackého třída 879/84, 612 00 Brno, CZ

Upozornění: Tento e-mail včetně všech příloh je důvěrný a může býtpředmětem obchodního tajemství. Pokud nejste zamýšleným adresátem,upozorněte prosím ihned odesilatele, zničte všechny kopie z Vašehosystému a nevyzrazujte nebo nepoužívejte tyto informace k žádnému účelu.Notice: This e-mail and any attachments are confidential and may beprivileged. If you are not the intended recipient, notify the senderimmediately, destroy all copies from your system and do not disclose oruse the information for any purpose.

# Our domain in this file were replaced by "example.com"

# Our system contains from two replicas
root@ipa2:/home/jgardian# ipa-replica-manage list
ipa1.example.com: master
ipa2.example.com: master

# We have only ipa1 with CA configured
root@ipa2:/home/jgardian# ipa-csreplica-manage list 
Directory Manager password: 

ipa1.example.com: master
ipa2.example.com: CA not configured

# Failed for installing CA at ipa2 replica. During this I did not have any 
kerberos tickets at ipa2 server so used Directory Manager credentials
root@ipa2:/home/jgardian# ipa-ca-install
Directory Manager (existing master) password: 

Run connection check to master
Connection check OK
/usr/lib/python2.7/dist-packages/urllib3/connection.py:266: 
SubjectAltNameWarning: Certificate for ipa1.example.com has no 
`subjectAltName`, falling back to check for a `commonName` for now. This 
feature is being removed by major browsers and deprecated by RFC 2818. (See 
https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see   for details:
HTTPError: 502 Server Error: Proxy Error for url: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.w2DRpN5XLVKgaDr6oCMzihTq3m_V0ygtESWaYzipLmDH-qqZvYxNSyLfk8-hBors9mVbr4UtNbe6qysMdnIjHbDm8FwTDNWUZo4VJWNDab3U6y3ytazrtm2eAzx1ZPpqI8M7KnrqH-ClbA8_xl_Ti5OcVJiDzljqwj0uRKtyzblNdShrdTsgnTxwZOZ_ZK3tdu1rrDR97fbdHg53oyDPXj9-ktmyqXaxRtFxIbXnTVSC3spSpzhz23yyoeS6WG-t-Jw-papWtmxBDtZQbU_3G4bczhrIIWAi8pHQPv8jUj_3gZm6M9drEZwmjfmi9_PYp4rZZP4-QLf_DR2OBajANw.ZoHz0yQ-MXvWRQQG8yOFJw.HSKnQzoQx0zhrjWHDcNxeaGexrN_1tH-WZkeOWCfJq8ef07xv523_xh5lZemlxeG7BvCvA0sGKKJJvv2OC3TpMb9c_sYFYZ-SyGawz9akiYoBEv4RMMygvHsHxqUkpWg0h7I9ri2ZNjbyCcSEuFM4MQpy7ZGKRwu7Q6WO1J8ID11UYbhHad2ikAtT2_OQfle7VyLa_1ktvphIc39ycOfKCk4va43qAkOnWdMh_KJYUxy8WZ38YVIups-3MjPD9SANRlK0b2uq4gUEp9o4xhVFznrU49W50Uf2xA4MkXERCypcGKopd9HHUbI7zgVf9DUOuIEqceVGnHJ7T-uFjNXKFPCPZIrjhrzYzWUAA7q66ZQnlki55_I9g7LYx68gaMBpFdoC4p5YhTfm-qT1bcl50k0T7dGac_DriVPLk_QfqLueEEL8RwEWFak6DNpMFnDy4-geXzVdJvMXQH_gZWBlLJm8Enajih6mCEpr-H4arH92bIPaRUTNqVeHbFLoTpdqA-xCJLV76F6wPnbZWdopZfLAPEgC29AyNwjRPKk-uoeT5nWnlX5qdPVXIHrIEJvdPNfwsT1Kq9P9z8jiHKjKjQZYGSAIAl5G-gg5hmyMhn-EgkIYoHfI-vtCI2k9XOE4BOpmDkKV0dyA76HFoE7gA.kPfe8Zsf-X3LSny5yBPSVvd8drOHrYZqFqMofNQnGOo


##################
# !!!! logfile /var/log/ipareplica-ca-install.log does not exist but found logs 
in /var/log/ipaserver-ca-install.log (timestamps + 2 hours for CET)

root@ipa2:/var/log# cat ipaserver-ca-install.log 
2018-04-05T07:21:32Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: 
{'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': 
None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 
'debug': False, 'external_ca': False, 'skip_conncheck': False},None
2018-04-05T07:21:32Z DEBUG IPA version 4.3.1
2018-04-05T07:21:32Z DEBUG importing all plugin modules in ipalib.plugins...
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.aci
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.automember
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.automount
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.baseldap
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.baseuser
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.batch
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.caacl
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.cert
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.certprofile
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.config
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.delegation
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.dns
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.domainlevel
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.group
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.hbacrule
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.hbacsvc
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.hbactest
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.host
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.hostgroup
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.idrange
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.idviews
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.internal
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.krbtpolicy
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.migration
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.misc
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.netgroup
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.otpconfig
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.otptoken
2018-04-05T07:21:32Z DEBUG importing plugin module 
ipalib.plugins.otptoken_yubikey
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.passwd
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.permission
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.ping
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.pkinit
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.privilege
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.pwpolicy
2018-04-05T07:21:32Z DEBUG Starting external process
2018-04-05T07:21:32Z DEBUG args=klist -V
2018-04-05T07:21:32Z DEBUG Process finished, return code=0
2018-04-05T07:21:32Z DEBUG stdout=Kerberos 5 version 1.13.2

2018-04-05T07:21:32Z DEBUG stderr=
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.radiusproxy
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.realmdomains
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.role
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.rpcclient
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.selfservice
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.selinuxusermap
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.server
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.service
2018-04-05T07:21:32Z DEBUG importing plugin module 
ipalib.plugins.servicedelegation
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.session
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.stageuser
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.sudocmd
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.sudorule
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.topology
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.trust
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.user
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.vault
2018-04-05T07:21:32Z DEBUG importing plugin module ipalib.plugins.virtual
2018-04-05T07:21:32Z DEBUG importing all plugin modules in ipaserver.plugins...
2018-04-05T07:21:32Z DEBUG importing plugin module ipaserver.plugins.dogtag
2018-04-05T07:21:32Z DEBUG importing plugin module ipaserver.plugins.join
2018-04-05T07:21:32Z DEBUG importing plugin module ipaserver.plugins.ldap2
2018-04-05T07:21:32Z DEBUG importing plugin module ipaserver.plugins.rabase
2018-04-05T07:21:32Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2018-04-05T07:21:32Z DEBUG SessionAuthManager.register: 
name=jsonserver_session_140551520636432
2018-04-05T07:21:32Z DEBUG SessionAuthManager.register: 
name=xmlserver_session_140551520679184
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.login_password() at 
'/session/login_password'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.change_password() at 
'/session/change_password'
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at 
'/session/xml'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at 
'/session/json'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at 
'/json'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:32Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at 
'/session/login_kerberos'
2018-04-05T07:21:32Z DEBUG session_auth_duration: 0:20:00
2018-04-05T07:21:33Z DEBUG Mounting ipaserver.rpcserver.sync_token() at 
'/session/sync_token'
2018-04-05T07:21:33Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-PLOB-CZ.socket 
from SchemaCache
2018-04-05T07:21:33Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-PLOB-CZ.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fd4b3877f38>
2018-04-05T07:21:33Z DEBUG Initializing principal 
host/ipa2.example....@example.com using keytab /etc/krb5.keytab
2018-04-05T07:21:33Z DEBUG using ccache /tmp/krbcc3kMdWN/ccache
2018-04-05T07:21:33Z DEBUG Attempt 1/1: success
2018-04-05T07:21:33Z DEBUG Created connection context.ldap2_140551520635728
2018-04-05T07:21:33Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2Fvar%2Frun%2Fslapd-PLOB-CZ.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fd4b15411b8>
2018-04-05T07:21:33Z DEBUG Destroyed connection context.ldap2_140551520635728
2018-04-05T07:21:39Z DEBUG Created connection context.ldap2_140551520635728
2018-04-05T07:21:39Z DEBUG Starting external process
2018-04-05T07:21:39Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master 
ipa1.example.com --auto-master-check --realm example.com --hostname 
ipa2.example.com --ca-cert-file /etc/ipa/ca.crt
2018-04-05T07:21:55Z DEBUG Process finished, return code=0
2018-04-05T07:21:55Z DEBUG stdout=Check connection from replica to remote 
master 'ipa1.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check RPC connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipa2.example.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): WARNING
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

2018-04-05T07:21:55Z DEBUG stderr=
2018-04-05T07:21:55Z INFO Skipping CA DS schema check
2018-04-05T07:21:55Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'phishwheel
2018-04-05T07:21:56Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 739, 
in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 295, in main
    promote(safe_options, options, filename)

  File "/usr/sbin/ipa-ca-install", line 267, in promote
    install_replica(safe_options, options, filename)

  File "/usr/sbin/ipa-ca-install", line 190, in install_replica
    custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])

  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/custodiainstance.py", line 
161, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)

  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/custodiainstance.py", line 
129, in __get_keys
    value = cli.fetch_key(os.path.join(prefix, nickname), False)

  File "/usr/lib/python2.7/dist-packages/ipapython/secrets/client.py", line 92, 
in fetch_key
    r.raise_for_status()

  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 840, in 
raise_for_status
    raise HTTPError(http_error_msg, response=self)

2018-04-05T07:21:56Z DEBUG The ipa-ca-install command failed, exception: 
HTTPError: 502 Server Error: Proxy Error for url: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.VniDucoLyGmDqLzKUueM_WK2p0evUv5G_ANF0NGJjcKcjdoP6sFH3TWK3CcWw6QuBzMA_5gQxBSQY2hGxiVdotq0pOUmbY2LbFks4LAnyY94_eTXIFAXVHmzCxjFNfpVQZmrbI8GKuS0oB-2WpO_T8_HR6Gw6VH8nYJtCdQEA66nV8ShpEZv97ZY54Pfwt7IQYxPWbTWCmG9cWPm3dT4MKTO9vow2_llnWidhMz5oUVCxq49rKMpdmtOF8KaFCcgqSP_baa2tdBKm2-O7DpOhraopOTnFisu-73wgSpgPDbV2tNSTe4obGsOoaVcJsoijHxAuqwGGoAk6yAt_nwVcQ.5PJNnxPrn_qOqj0st4R1aw.lzuBlJCtLrnjoIyop_RWCbJFhkZxyv1aYoIUAgzPl_CTJfkLn59oLwyNVu0BfeLNmu9kkIzCI2ztH0YMPvS1i2jOXVeU_fULi74RnEnVgk75i2jWQQeGAmkHhlTjeP0wDoADL2G1hbbBTzMyUP4z5K4KdsBMJFmwqw-rF9hmhRFu8FlGoB19zgmLcUbk1ledO2I9m1ntZ36r41cZgOJkY7oBbwGzWkM5lY6IvwTF-U2wADEAotovzvqNIrbX026RAF7grhk98ugEoeIvNcx0Z7D8Ib4f_DOwDUsOPWfffrYWSBYnXbu2f1EfQuzbw5iRjKllhnb8awo05ZLxvny6_s0G-072e6NRc_WmNgX6G65hMOmNpzNeqv8sEwpcouluPRNkOx3IgSh7Ml_g7FYldHhQXnEJ_SPFZlClHmgDEOM7gT1OivkQeVzMgwY-81JoRCyIORCqFCRLr7m3rAREXEIQ_d5NO48Oh1z9-kIinGjeTuZ8Zm8NV9Zqy1j9iFqw36fjg3tEvMRslJbqOUuxFjEhCWmRBRq6NFzzanrYHAzcQy_szlN_07bZIR94rUVdphishwheel51irdUvazfpSbxFAf8e8m5NnJzAXU3VV4PRUYRs2GMbfshDUleVeMmT1H9Rp315KIkLvLi0jFRVvie7unLXVXA.qRxhxULTTb5tK1qdid5Y3wgGmoQAhBwF2ZzNkdJ-pXw


########################
# Did not found any specific logfile for custodia daemon only logs in apache 
error.log at ipa1

ipa1 /var/log/apache/error.log
[Thu Apr 05 09:16:18.884674 2018] [wsgi:error] [pid 12448:tid 140474087360256] 
ipa: INFO: [jsonserver_kerb] host/ipa2.example....@example.com: 
ping(version=u'2.164'): SUCCESS
[Thu Apr 05 09:16:31.233571 2018] [wsgi:error] [pid 12447:tid 140474087360256] 
ipa: INFO: [jsonserver_kerb] host/ipa2.example....@example.com: 
server_conncheck(u'ipa1.example.com', u'ipa2.example.com', version=u'2.162'): 
SUCCESS
[Thu Apr 05 09:16:56.049340 2018] [proxy_http:error] [pid 12451:tid 
140474330584832] (20014)Internal error (specific information not available): 
[client 62.77.90.71:35608] AH01102: error reading status line from remote 
server httpd-UDS:0
[Thu Apr 05 09:16:56.049481 2018] [proxy:error] [pid 12451:tid 140474330584832] 
[client 62.77.90.71:35608] AH00898: Error reading from remote server returned 
by /ipa/keys/ca/caSigningCert cert-pki-ca
[Thu Apr 05 09:20:56.361025 2018] [proxy_http:error] [pid 12453:tid 
140474347370240] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50070] AH01102: error reading status line from remote 
server httpd-UDS
:0
[Thu Apr 05 09:20:56.424197 2018] [auth_gssapi:error] [pid 12450:tid 
140474347370240] [client 185.24.236.91:50074] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)]
[Thu Apr 05 09:20:56.617622 2018] [proxy_http:error] [pid 12453:tid 
140474305406720] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50076] AH01102: error reading status line from remote 
server httpd-UDS
:0, referer: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.w2DRpN5XLVKgaDr6oCMzihTq3m_V0ygtESWaYzipLmDH-qqZvYxNSyLfk8-hBors9mVbr4UtNbe6qysMd
nIjHbDm8FwTDNWUZo4VJWNDab3U6y3ytazrtm2eAzx1ZPpqI8M7KnrqH-ClbA8_xl_Ti5OcVJiDzljqwj0uRKtyzblNdShrdTsgnTxwZOZ_ZK3tdu1rrDR97fbdHg53oyDPXj9-ktmyqXaxRtFxIbXnTVSC3spSpzhz23yyoeS6WG-t-Jw-papWtmxBDtZQbU_3G4bczhrIIWAi8pHQPv8jU
j_3gZm6M9drEZwmjfmi9_PYp4rZZP4-QLf_DR2OBajANw.ZoHz0yQ-MXvWRQQG8yOFJw.HSKnQzoQx0zhrjWHDcNxeaGexrN_1tH-WZkeOWCfJq8ef07xv523_xh5lZemlxeG7BvCvA0sGKKJJvv2OC3TpMb9c_sYFYZ-SyGawz9akiYoBEv4RMMygvHsHxqUkpWg0h7I9ri2ZNjbyCcSEuFM4MQpy7ZGKRwu7Q6WO1J8ID11UYbhHad2ikAtT2_OQfle7VyLa_1ktvphIc39ycOfKCk4va43qAkOnWdMh_KJYUxy8WZ38YVIups-3MjPD9SANRlK0b2uq4gUEp9o4xhVFznrU49W50Uf2xA4MkXERCypcGKopd9HHUbI7zgVf9DUOuIEqceVGnHJ7T-uFjNXKFPCPZIrjhrzYzWUAA7q66ZQnlki55_I9g7LYx68gaMBpFdoC4p5YhTfm-qT1bcl50k0T7dGac_DriVPLk_QfqLueEEL8RwEWFak6DNpMFnDy4-geXzVdJvMXQH_gZWBlLJm8Enajih6mCEpr-H4arH92bIPaRUTNqVeHbFLoTpdqA-xCJLV76F6wPnbZWdopZfLAPEgC29AyNwjRPKk-uoeT5nWnlX5qdPVXIHrIEJvdPNfwsT1Kq9P9z8jiHKjKjQZYGSAIAl5G-gg5hmyMhn-EgkIYoHfI-vtCI2k9XOE4BOpmDkKV0dyA76HFoE7gA.kPfe8Zsf-X3LSny5yBPSVvd8drOHrYZqFqMofNQnGOo
[Thu Apr 05 09:20:56.641636 2018] [proxy_http:error] [pid 12451:tid 
140474313799424] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50078] AH01102: error reading status line from remote 
server httpd-UDS:0, referer: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.w2DRpN5XLVKgaDr6oCMzihTq3m_V0ygtESWaYzipLmDH-qqZvYxNSyLfk8-hBors9mVbr4UtNbe6qysMdnIjHbDm8FwTDNWUZo4VJWNDab3U6y3ytazrtm2eAzx1ZPpqI8M7KnrqH-ClbA8_xl_Ti5OcVJiDzljqwj0uRKtyzblNdShrdTsgnTxwZOZ_ZK3tdu1rrDR97fbdHg53oyDPXj9-ktmyqXaxRtFxIbXnTVSC3spSpzhz23yyoeS6WG-t-Jw-papWtmxBDtZQbU_3G4bczhrIIWAi8pHQPv8jUj_3gZm6M9drEZwmjfmi9_PYp4rZZP4-QLf_DR2OBajANw.ZoHz0yQ-MXvWRQQG8yOFJw.HSKnQzoQx0zhrjWHDcNxeaGexrN_1tH-WZkeOWCfJq8ef07xv523_xh5lZemlxeG7BvCvA0sGKKJJvv2OC3TpMb9c_sYFYZ-SyGawz9akiYoBEv4RMMygvHsHxqUkpWg0h7I9ri2ZNjbyCcSEuFM4MQpy7ZGKRwu7Q6WO1J8ID11UYbhHad2ikAtT2_OQfle7VyLa_1ktvphIc39ycOfKCk4va43qAkOnWdMh_KJYUxy8WZ38YVIups-3MjPD9SANRlK0b2uq4gUEp9o4xhVFznrU49W50Uf2xA4MkXERCypcGKopd9HHUbI7zgVf9DUOuIEqceVGnHJ7T-uFjNXKFPCPZIrjhrzYzWUAA7q66ZQnlki55_I9g7LYx68gaMBpFdoC4p5YhTfm-qT1bcl50k0T7dGac_DriVPLk_QfqLueEEL8RwEWFak6DNpMFnDy4-geXzVdJvMXQH_gZWBlLJm8Enajih6mCEpr-H4arH92bIPaRUTNqVeHbFLoTpdqA-xCJLV76F6wPnbZWdopZfLAPEgC29AyNwjRPKk-uoeT5nWnlX5qdPVXIHrIEJvdPNfwsT1Kq9P9z8jiHKjKjQZYGSAIAl5G-gg5hmyMhn-EgkIYoHfI-vtCI2k9XOE4BOpmDkKV0dyA76HFoE7gA.kPfe8Zsf-X3LSny5yBPSVvd8drOHrYZqFqMofNQnGOo
[Thu Apr 05 09:20:56.685571 2018] [auth_gssapi:error] [pid 12453:tid 
140474297014016] [client 185.24.236.91:50080] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)], referer: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.w2DRpN5XLVKgaDr6oCMzihTq3m_V0ygtESWaYzipLmDH-qqZvYxNSyLfk8-hBors9mVbr4UtNbe6qysMdnIjHbDm8FwTDNWUZo4VJWNDab3U6y3ytazrtm2eAzx1ZPpqI8M7KnrqH-ClbA8_xl_Ti5OcVJiDzljqwj0uRKtyzblNdShrdTsgnTxwZOZ_ZK3tdu1rrDR97fbdHg53oyDPXj9-ktmyqXaxRtFxIbXnTVSC3spSpzhz23yyoeS6WG-t-Jw-papWtmxBDtZQbU_3G4bczhrIIWAi8pHQPv8jUj_3gZm6M9drEZwmjfmi9_PYp4rZZP4-QLf_DR2OBajANw.ZoHz0yQ-MXvWRQQG8yOFJw.HSKnQzoQx0zhrjWHDcNxeaGexrN_1tH-WZkeOWCfJq8ef07xv523_xh5lZemlxeG7BvCvA0sGKKJJvv2OC3TpMb9c_sYFYZ-SyGawz9akiYoBEv4RMMygvHsHxqUkpWg0h7I9ri2ZNjbyCcSEuFM4MQpy7ZGKRwu7Q6WO1J8ID11UYbhHad2ikAtT2_OQfle7VyLa_1ktvphIc39ycOfKCk4va43qAkOnWdMh_KJYUxy8WZ38YVIups-3MjPD9SANRlK0b2uq4gUEp9o4xhVFznrU49W50Uf2xA4MkXERCypcGKopd9HHUbI7zgVf9DUOuIEqceVGnHJ7T-uFjNXKFPCPZIrjhrzYzWUAA7q66ZQnlki55_I9g7LYx68gaMBpFdoC4p5YhTfm-qT1bcl50k0T7dGac_DriVPLk_QphishwheelfqLueEEL8RwEWFak6DNpMFnDy4-geXzVdJvMXQH_gZWBlLJm8Enajih6mCEpr-H4arH92bIPaRUTNqVeHbFLoTpdqA-xCJLV76F6wPnbZWdopZfLAPEgC29AyNwjRPKk-uoeT5nWnlX5qdPVXIHrIEJvdPNfwsT1Kq9P9z8jiHKjKjQZYGSAIAl5G-gg5hmyMhn-EgkIYoHfI-vtCI2k9XOE4BOpmDkKV0dyA76HFoE7gA.kPfe8Zsf-X3LSny5yBPSVvd8drOHrYZqFqMofNQnGOo
[Thu Apr 05 09:20:56.748321 2018] [auth_gssapi:error] [pid 12450:tid 
140474305406720] [client 185.24.236.91:50082] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)], referer: 
https://ipa1.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjpudWxsfQ.w2DRpN5XLVKgaDr6oCMzihTq3m_V0ygtESWaYzipLmDH-qqZvYxNSyLfk8-hBors9mVbr4UtNbe6qysMdnIjHbDm8FwTDNWUZo4VJWNDab3U6y3ytazrtm2eAzx1ZPpqI8M7KnrqH-ClbA8_xl_Ti5OcVJiDzljqwj0uRKtyzblNdShrdTsgnTxwZOZ_ZK3tdu1rrDR97fbdHg53oyDPXj9-ktmyqXaxRtFxIbXnTVSC3spSpzhz23yyoeS6WG-t-Jw-papWtmxBDtZQbU_3G4bczhrIIWAi8pHQPv8jUj_3gZm6M9drEZwmjfmi9_PYp4rZZP4-QLf_DR2OBajANw.ZoHz0yQ-MXvWRQQG8yOFJw.HSKnQzoQx0zhrjWHDcNxeaGexrN_1tH-WZkeOWCfJq8ef07xv523_xh5lZemlxeG7BvCvA0sGKKJJvv2OC3TpMb9c_sYFYZ-SyGawz9akiYoBEv4RMMygvHsHxqUkpWg0h7I9ri2ZNjbyCcSEuFM4MQpy7ZGKRwu7Q6WO1J8ID11UYbhHad2ikAtT2_OQfle7VyLa_1ktvphIc39ycOfKCk4va43qAkOnWdMh_KJYUxy8WZ38YVIups-3MjPD9SANRlK0b2uq4gUEp9o4xhVFznrU49W50Uf2xA4MkXERCypcGKopd9HHUbI7zgVf9DUOuIEqceVGnHJ7T-uFjNXKFPCPZIrjhrzYzWUAA7q66ZQnlki55_I9g7LYx68gaMBpFdoC4p5YhTfm-qT1bcl50k0T7dGac_DriVPLk_QfqLueEEL8RwEWFak6DNpMFnDy4-geXzVdJvMXQH_gZWBlLJm8Enajih6mCEpr-H4arH92bIPaRUTNqVeHbFLoTpdqA-xCJLV76F6wPnbZWdopZfLAPEgC29AyNwjRPKk-uoeT5nWnlX5qdPVXIHrIEJvdPNfwsT1Kq9P9z8jiHKjKjQZYGSAIAl5G-gg5hmyMhn-EgkIYoHfI-vtCI2k9XOE4BOpmDkKV0dyA76HFoE7gA.kPfe8Zsf-X3LSny5yBPSVvd8drOHrYZqFqMofNQnGOo
[Thu Apr 05 09:21:43.304413 2018] [wsgi:error] [pid 12448:tid 140474087360256] 
ipa: INFO: [jsonserver_kerb] host/ipa2.example....@example.com: 
ping(version=u'2.164'): SUCCESS
[Thu Apr 05 09:21:56.425571 2018] [wsgi:error] [pid 12447:tid 140474087360256] 
ipa: INFO: [jsonserver_kerb] host/ipa2.example....@example.com: 
server_conncheck(u'ipa1.example.com', u'ipa2.example.com', version=u'2.162'): 
SUCCESS
[Thu Apr 05 09:21:58.052015 2018] [proxy_http:error] [pid 12451:tid 
140474297014016] (20014)Internal error (specific information not available): 
[client 62.77.90.71:35646] AH01102: error reading status line from remote 
server httpd-UDS:0
[Thu Apr 05 09:21:58.052059 2018] [proxy:error] [pid 12451:tid 140474297014016] 
[client 62.77.90.71:35646] AH00898: Error reading from remote server returned 
by /ipa/keys/ca/caSigningCert cert-pki-ca
[Thu Apr 05 09:29:09.795182 2018] [proxy_http:error] [pid 12450:tid 
140474161530624] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50286] AH01102: error reading status line from remote 
server httpd-UDS:0
[Thu Apr 05 09:29:09.858423 2018] [auth_gssapi:error] [pid 12451:tid 
140474211886848] [client 185.24.236.91:50288] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)]
[Thu Apr 05 09:29:10.006923 2018] [proxy_http:error] [pid 12453:tid 
140474136352512] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50290] AH01102: error reading status line from remote 
server httpd-UDS:0, referer: https://ipa1.example.com/ipa/keys/ca/caSigningCert
[Thu Apr 05 09:29:10.051505 2018] [proxy_http:error] [pid 12450:tid 
140474144745216] (20014)Internal error (specific information not available): 
[client 185.24.236.91:50292] AH01102: error reading status line from remote 
server httpd-UDS:0, referer: https://ipa1.example.com/ipa/keys/ca/caSigningCert
[Thu Apr 05 09:29:10.068999 2018] [auth_gssapi:error] [pid 12451:tid 
140474195101440] [client 185.24.236.91:50294] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)], referer: https://ipa1.example.com/ipa/keys/ca/caSigningCert
[Thu Apr 05 09:29:10.131304 2018] [auth_gssapi:error] [pid 12453:tid 
140474127959808] [client 185.24.236.91:50296] gss_accept_sec_context() failed: 
[Unspecified GSS failure.  Minor code may provide more information (Request is 
a replay)], referer: https://ipa1.example.com/ipa/keys/ca/caSigningCert
[Thu Apr 05 09:33:46.938299 2018] [wsgi:error] [pid 12448:tid 140474087360256] 
ipa: INFO: [jsonserver_kerb] jgard...@example.com: cert_show(u'1', 
version=u'2.164'): SUCCESS

# Logfile where is request for CA 
/var/log/ipareplica-conncheck.log
2018-04-05T07:21:45Z DEBUG /usr/sbin/ipa-replica-conncheck was invoked with 
options: {'realm': None, 'hostname': None, 'quiet': False, 'kdc': None, 
'replica': 'ipa2.example.com', 'master': None, 'auto_master_check': False, 
'debug': False, 'ca_cert_file': None, 'check_ca': False, 'principal': None}
2018-04-05T07:21:45Z DEBUG missing options might be asked for interactively 
later

2018-04-05T07:21:45Z DEBUG IPA version 4.3.1

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA ipa-ca-install problem at the second replica

Reply via email to