Brian Weaver via FreeIPA-users wrote:
Sadly, nothing now. It would be whatever was standard in a FC 27
install. I had to abandon FreeIPA due to time constraints and I moved
back to stock Bind9. System Admin work is one of those "extra" task I
have and not my primary job. I simply ran out of time; 4 days of lost
productivity has my management a bit unhappy. Sorry I didn't save the VM.
Ok, sorry you had such a lousy experience.
I think this is related to a change made in httpd recently that broke
proxy support in mod_nss. There is a pending change in mod_nss to
address this but it is stuck in updates-testing so I suspect you didn't
have the fixed version.
rob
I did find one other quirk of using FreeIPA vs stock Bind9. Seems that
FreeIPA will allow you to create a hostname with an underscore. Bind9
complained bitterly about that. It'd have been nice if FreeIPA would
have warned or prohibited me from adding the underscore in the first
place. Granted it may be that Bind9 is being too restrictive.
On Thu, May 3, 2018 at 11:40 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Brian Weaver wrote:
On Thu, May 3, 2018 at 10:45 AM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
Brian Weaver via FreeIPA-users wrote:
So given that 4.6 wasn't going to work nicely with F28, I
decided to rollback to F27. I also DID NOT use the COPR
repo;
just what was stock with F27. I'm still unable to create a
replica. I get the following error on the replica install.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Waiting for keys to appear on host: ipa-server0.ipa.domain,
please wait until this has completed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR 400 Client Error: Bad
Request for
url:
https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk
<https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk>
<https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk
<https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.w3ZCBToenHY368SFEqUHupfnd7nxwPpW2PbthpYyrigJFudW2o6exMdgF9nxES1rwDW2ZJOJlmRe9uOZnirNghahvcEbpssqgSAmKzSNi5N1uY-ShB5FuGy_R_Ei4Im00_ldHmBTe_vg9wvTL54FUH_1-WdI4ie2AeAGkV7yevqdnbSb30QGyQci9Gku2RtW79mFxI2VDFnGnZq3Ozs8zRqK0XldzO-xuwrOODHAh3etWXHGSf76645SPP2E4HR5rzL9edx0dqGFlcWLaemLYvXnmF69_x4ESPmyDtoMotLGvMLUq93fXCjPwNj_rNKswwX5AwA4dwt09mZcdCOF-w._Znmzdn1UoVCSKhjQIJJAw.TevehnXKP3R47EckjagTAaT54kliJxC3in66E-q8_ARYXXQrRjELFXgWM_9g_Qt38_pSoptG7sP5jbsRtiQXfO22lmDij5HwR6fgvQCl1NYZincLBl0zZlhq7Uh5Hj73vahHhQNsPhnmIIWAO58sNx-OsPyjwJDpXTaImq319RPV8rYNNDSLF0tT_UhWdyPXo9f7nNRK_9kQ8D7T_ye1uj6Bp5Oyybhd1cDtpCp4dqA93y0Lf0Vn5tsLjy8Jzt3B-Txw6t325SIrsUR3z9tzWp2oZ3caPSoHVDRGXUrzy7dEzMAU_5m1xzRU69HR9QMbCuTHf606SdynGXss3Zw4l1ZWVJg7pO9B-04AgNdJOyBmN71CXkPuMefnsKhm8X18kLI-LUQN9jkYs0YhRAOJbHluIa_O_80nv38nSt1HRlphzwdzxiEZclScaIS8A94gEJrcRsiSsI2hVo58bQyWWobyQFicTWGLZfHYGoDtLb9VK2tJLzv-vDiesC4tX2RuZTwN9O8YBPT49EvCIp-P4T1UztvxQ2Sgkg91Hd5BiOGrWEQ0o6loF2jMlzDpescfq8N8LbaPol_cvj0-I0M1uJiOhjS4JIz_Un6E9Cw4Bkj2cCoeui-VksAxC4NBAB-wAn8ESnVz8LilNUKV6tF7xz5OKvlk6vZUHrbKDBOEkZoAx_UtbOpLu4T_bpxjhxpd.Rcl_HiVK5uS1rTxCmbMmVgvGLmoq3XMSA9E_SBhdDzk>>
ipapython.admintool: ERROR The ipa-replica-install
command
failed. See /var/log/ipareplica-install.log for more
information
Any ideas why I'd get a 400 error. This is the same
error I when
I did use the COPR repo with F27. I *thought* it would
work if
I'd stop trying to jump ahead on the software version by
skipping COPR. This is getting downright frustrating.
How many
people setup a FreeIPA server and don't setup at least 1
replica? Wouldn't that be a basic use case for testing
before
inclusion?
Can you look in /var/log/httpd/error_log on the existing master
around this time to see what requests it may have gotten
and how it
responded?
rob
Any help would definitely be appreciated. Do I need to
step back
to F26?
On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>> wrote:
Brian Weaver via FreeIPA-users wrote:
I had issues with my old FreeIPA installation so I
rebuilt using
Fedora 28 and FreeIPA 4.6 from the COPR of
@freeipa/freeipa-4-6.
I managed successfully setup the server and
import my
DNS data.
Now when I try to create a replica it is
blowing up.
When I run
"ipa-replica-install --principal
admin@IPA.${DOMAIN} -w
'uber-secret-password' -N" it's failing. I've
tried Google,
cleaned up the directory of the server
entries, etc.
I'm at an
impass.
Here is the error
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance
failed
(CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall
to clean up.
I was going to get the error from the log
directory. I ran
uninstall before I thought about it. Then when
I try
again it
fails on "entry already exists". So when I run
uninstall again I
have to do 'ipa server-del
ipa-server1.ipa.domain'.
I'm having no luck and it fails at random
places. For
example
after the last cleanup I got "Insufficient
Access" with
write
privilege on
cn=replication,cn=etc,dc=ipa,dc=$domain'
Any help would really be appreciated. This is
really
holding me up.
4.6 is probably not going to work nicely in F28. NSS
changed the
default database type and that caused a lot of
issues for IPA.
rob
> [Thu May 03 09:51:38.478737 2018] [proxy:error] [pid 16265:tid
> 140079032899328] (20014)Internal error (specific information not
> available): [client 192.168.46.252:35086
<http://192.168.46.252:35086> <http://192.168.46.252:35086>]
> AH01084: pass request body failed to 0.0.0.0:0 <http://0.0.0.0:0>
<http://0.0.0.0:0>
> (httpd-UDS)
> [Thu May 03 09:51:38.478773 2018] [proxy_http:error] [pid 16265:tid
> 140079032899328] [client 192.168.46.252:35086
<http://192.168.46.252:35086>
> <http://192.168.46.252:35086>] AH01097: pass request body failed to
> 0.0.0.0:0 <http://0.0.0.0:0> <http://0.0.0.0:0> (httpd-UDS) from
192.168.46.252 ()
What version of httpd and mod_nss do you have installed?
rob
--
/* insert witty comment here */
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
