On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Brian Weaver via FreeIPA-users wrote: > >> So given that 4.6 wasn't going to work nicely with F28, I decided to >> rollback to F27. I also DID NOT use the COPR repo; just what was stock with >> F27. I'm still unable to create a replica. I get the following error on the >> replica install. >> >> Configuring ipa-custodia >> [1/4]: Generating ipa-custodia config file >> [2/4]: Generating ipa-custodia keys >> [3/4]: starting ipa-custodia >> [4/4]: configuring ipa-custodia to start on boot >> Done configuring ipa-custodia. >> Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait >> until this has completed. >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipapython.admintool: ERROR 400 Client Error: Bad Request for url: >> https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert% >> 20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI >> 6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHup >> fnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZni >> rNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9 >> wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VD >> FnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9e >> dx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_ >> rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3 >> R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pS >> optG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73 >> vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_ >> UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5 >> tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_ >> 5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN >> 71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv3 >> 8nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTW >> GLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1Uzt >> vxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0- >> I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8Lil >> NUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiV >> K5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk >> ipapython.admintool: ERROR The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> Any ideas why I'd get a 400 error. This is the same error I when I did >> use the COPR repo with F27. I *thought* it would work if I'd stop trying to >> jump ahead on the software version by skipping COPR. This is getting >> downright frustrating. How many people setup a FreeIPA server and don't >> setup at least 1 replica? Wouldn't that be a basic use case for testing >> before inclusion? >> > > Can you look in /var/log/httpd/error_log on the existing master around > this time to see what requests it may have gotten and how it responded? > > rob > > >> Any help would definitely be appreciated. Do I need to step back to F26? >> >> On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Brian Weaver via FreeIPA-users wrote: >> >> I had issues with my old FreeIPA installation so I rebuilt using >> Fedora 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6. >> >> I managed successfully setup the server and import my DNS data. >> Now when I try to create a replica it is blowing up. When I run >> "ipa-replica-install --principal admin@IPA.${DOMAIN} -w >> 'uber-secret-password' -N" it's failing. I've tried Google, >> cleaned up the directory of the server entries, etc. I'm at an >> impass. >> >> Here is the error >> >> Done configuring Kerberos KDC (krb5kdc). >> Configuring kadmin >> [1/2]: starting kadmin >> [2/2]: configuring kadmin to start on boot >> Done configuring kadmin. >> Configuring directory server (dirsrv) >> [1/3]: configuring TLS for DS instance >> [error] RuntimeError: Certificate issuance failed >> (CA_REJECTED) >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> I was going to get the error from the log directory. I ran >> uninstall before I thought about it. Then when I try again it >> fails on "entry already exists". So when I run uninstall again I >> have to do 'ipa server-del ipa-server1.ipa.domain'. >> >> I'm having no luck and it fails at random places. For example >> after the last cleanup I got "Insufficient Access" with write >> privilege on cn=replication,cn=etc,dc=ipa,dc=$domain' >> >> Any help would really be appreciated. This is really holding me >> up. >> >> >> 4.6 is probably not going to work nicely in F28. NSS changed the >> default database type and that caused a lot of issues for IPA. >> >> rob >> >> Here's a block of the log from the relevant time. [Thu May 03 09:48:02.139175 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34882] ipa: INFO: [xmlserver] admin@IPA.DOMAIN: join('ipa-server1.ipa.domain', nshardwareplatform='x86_64', nsosversion='4.16.5-200.fc27.x86_64', version='2.51'): SUCCESS [Thu May 03 09:48:02.470757 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34894] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: schema(version='2.170'): SUCCESS [Thu May 03 09:48:04.225272 2018] [:warn] [pid 16580:tid 140079049684736] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.233942 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 09:48:04.238942 2018] [:warn] [pid 16580:tid 140079041292032] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.249753 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: ca_is_enabled(version='2.107'): SUCCESS [Thu May 03 09:48:04.838205 2018] [:warn] [pid 16580:tid 140079032899328] [client 192.168.46.252:34898] failed to set perms (3140) on file (/var/run/ipa/ccaches/host~ipa-server1.ipa.domain@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:04.859736 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34898] ipa: INFO: [jsonserver_session] host/ipa-server1.ipa.domain@IPA.DOMAIN: host_mod('ipa-server1.ipa.domain', ipasshpubkey=('ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz [Thu May 03 09:48:09.542153 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34920] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: env(('version',)): SUCCESS [Thu May 03 09:48:09.560313 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34920] ipa: INFO: [jsonserver_kerb] host/ipa-server1.ipa.domain@IPA.DOMAIN: env(('fips_mode',)): SUCCESS [Thu May 03 09:48:23.698644 2018] [:warn] [pid 16265:tid 140079133611776] [client 192.168.44.250:58032] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:23.720234 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58032] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsrecord_add/1('46.168.192.in-addr.arpa', <DNS name 252>, ptrrecord=('ipa-server1.ipa.domain.',), version='2.229'): EmptyModlist [Thu May 03 09:48:38.293949 2018] [:warn] [pid 16580:tid 140079016113920] [client 192.168.44.250:58036] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 09:48:38.318277 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58036] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsrecord_add/1('44.168.192.in-addr.arpa', <DNS name 250>, ptrrecord=('ipa-server0.ipa.domain.',), version='2.229'): SUCCESS [Thu May 03 09:48:43.746399 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:34958] ipa: INFO: [jsonserver_kerb] admin@IPA.DOMAIN: ping/1(version='2.229'): SUCCESS [Thu May 03 09:48:45.295163 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:34958] ipa: INFO: [jsonserver_kerb] admin@IPA.DOMAIN: server_conncheck('ipa-server0.ipa.domain', 'ipa-server1.ipa.domain', version='2.162'): SUCCESS [Thu May 03 09:49:24.029002 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.46.252:35018] ipa: INFO: [xmlserver] host/ipa-server1.ipa.domain@IPA.DOMAIN: cert_request('MIIEBjCCAu4CAQAwSDEcMBoGA1UEChMTSVBBLlNVTkJJUkREQ0lNLkNPTTEoMCYGA1UEAxMfaXBhLXNlcnZlcjEuaXBhLnN1bmJpcmRkY2ltLmNvbT [Thu May 03 09:50:27.397261 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.46.252:35058] ipa: INFO: [xmlserver] host/ipa-server1.ipa.domain@IPA.DOMAIN: cert_request('MIIEBjCCAu4CAQAwSDEcMBoGA1UEChMTSVBBLlNVTkJJUkREQ0lNLkNPTTEoMCYGA1UEAxMfaXBhLXNlcnZlcjEuaXBhLnN1bmJpcmRkY2ltLmNvbT [Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid 140079032899328] (20014)Internal error (specific information not available): [client 192.168.46.252:35086] AH01084: pass request body failed to 0.0.0.0:0 (httpd-UDS) [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid 140079032899328] [client 192.168.46.252:35086] AH01097: pass request body failed to 0.0.0.0:0 (httpd-UDS) from 192.168.46.252 () [Thu May 03 10:13:42.746937 2018] [:warn] [pid 16580:tid 140079049684736] [client 192.168.44.250:58124] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:42.758777 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58124] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:13:42.787775 2018] [:warn] [pid 16580:tid 140079041292032] [client 192.168.44.250:58124] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:42.806736 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58124] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsconfig_show/1(version='2.229'): SUCCESS [Thu May 03 10:13:51.198493 2018] [:warn] [pid 16580:tid 140079024506624] [client 192.168.44.250:58130] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:51.207219 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58130] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:13:51.233977 2018] [:warn] [pid 16580:tid 140079016113920] [client 192.168.44.250:58130] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:13:51.249541 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58130] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnsconfig_show/1(all=True, version='2.229'): SUCCESS [Thu May 03 10:14:44.574564 2018] [:warn] [pid 16580:tid 140079083255552] [client 192.168.44.250:58144] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:14:44.583901 2018] [wsgi:error] [pid 16261:tid 140079021463296] [remote 192.168.44.250:58144] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: ping(): SUCCESS [Thu May 03 10:14:52.217033 2018] [:warn] [pid 16580:tid 140079091648256] [client 192.168.44.250:58144] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IPA.DOMAIN)!, referer: https://ipa-server0.ipa.domain/ipa/xml [Thu May 03 10:14:52.233562 2018] [wsgi:error] [pid 16262:tid 140079021463296] [remote 192.168.44.250:58144] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN: dnszone_show/1('ipa.domain.', version='2.229'): SUCCESS -- /* insert witty comment here */
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
