Hi, I think this is related to the DS versions being different in f33 and f34. f33 has 389-ds-base-1.4 and f34 has 2.0.x. It sounds like: https://github.com/389ds/389-ds-base/issues/4498#issuecomment-744335466
Could you post the exact versions of DS you are using? Thank you, François On Thu, Sep 9, 2021 at 3:47 PM Mathias Rumbold via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > Hello Community! > > I am trying to add a new Fedora 34 server as secondary master. The idm01 is > still Fedora 33 but versions are the same as I can see. > > The issue I am hitting is by installing the replication (Client works fine). > > Configuring the web interface (httpd) > [1/21]: stopping httpd > [2/21]: backing up ssl.conf > [3/21]: disabling nss.conf > [4/21]: configuring mod_ssl certificate paths > [5/21]: setting mod_ssl protocol list > [6/21]: configuring mod_ssl log directory > [7/21]: disabling mod_ssl OCSP > [8/21]: adding URL rewriting rules > [9/21]: configuring httpd > [10/21]: setting up httpd keytab > [11/21]: configuring Gssproxy > [12/21]: setting up ssl > [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server > at https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Certificate issuance failed (CA_UNREACHABLE: Server at > https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > The ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > > > Log files: > 2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' > doesn't exist > 2021-09-08T11:33:07Z DEBUG Backing up system configuration file > '/etc/httpd/conf.d/ipa-rewrite.conf' > 2021-09-08T11:33:07Z DEBUG -> Not backing up - > '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist > 2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec > 2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab > 2021-09-08T11:33:07Z DEBUG raw: > service_add('HTTP/idm02.example....@example.com', force=True, version='2.242') > 2021-09-08T11:33:07Z DEBUG > service_add(ipapython.kerberos.Principal('HTTP/idm02.example....@example.com'), > force=True, skip_host_check=False, all=False, raw=False, version='2.242', > no_members=False) > 2021-09-08T11:33:07Z DEBUG flushing > ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from SchemaCache > 2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160> > 2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', > version='2.242') > 2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, > all=False, raw=False, version='2.242', no_members=False) > 2021-09-08T11:33:08Z DEBUG Backing up system configuration file > '/var/lib/ipa/gssproxy/http.keytab' > 2021-09-08T11:33:08Z DEBUG -> Not backing up - > '/var/lib/ipa/gssproxy/http.keytab' doesn't exist > 2021-09-08T11:33:08Z DEBUG Starting external process > 2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', > '/var/lib/ipa/gssproxy/http.keytab', '-p', > 'HTTP/idm02.example....@example.com', '-H', > 'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL'] > 2021-09-08T11:33:08Z DEBUG Process finished, return code=0 > 2021-09-08T11:33:08Z DEBUG stdout= > 2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored > in: /var/lib/ipa/gssproxy/http.keytab > > 2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication > (ldap://idm01.example.com:389) > krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at > (objectclass=*) > 2021-09-08T11:33:09Z DEBUG Entry found > [LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'), > {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': > [b'HTTP/idm02.example....@example.com'], 'objectClass': [b'krbprincipal', > b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', > b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': > [b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], > 'ipaKrbPrincipalAlias': [b'HTTP/idm02.example....@example.com'], > 'krbPrincipalName': [b'HTTP/idm02.example....@example.com'], 'ipaUniqueID': > [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})] > 2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 > sec > 2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy > 2021-09-08T11:33:09Z DEBUG Starting external process > 2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled'] > 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 > 2021-09-08T11:33:09Z DEBUG stdout= > 2021-09-08T11:33:09Z DEBUG stderr= > 2021-09-08T11:33:09Z DEBUG Starting external process > 2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', > '/etc/gssproxy/10-ipa.conf'] > 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 > 2021-09-08T11:33:09Z DEBUG stdout= > 2021-09-08T11:33:09Z DEBUG stderr= > 2021-09-08T11:33:09Z DEBUG Starting external process > 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', > 'gssproxy.service'] > 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 > 2021-09-08T11:33:09Z DEBUG stdout= > 2021-09-08T11:33:09Z DEBUG stderr= > 2021-09-08T11:33:09Z DEBUG Starting external process > 2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', > 'gssproxy.service'] > 2021-09-08T11:33:09Z DEBUG Process finished, return code=0 > 2021-09-08T11:33:09Z DEBUG stdout=active > > 2021-09-08T11:33:09Z DEBUG stderr= > 2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete > 2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec > 2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl > 2021-09-08T11:33:09Z DEBUG certmonger request is in state > 'GENERATING_KEY_PAIR' > 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE' > 2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE > (Server at https://idm01.example.com/ipa/json failed request, will retry: > 4205 (attribute "entryuuid" not allowed).) > 2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309 > 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR' > 2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING' > 2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' > 2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE > (Server at https://idm01.example.com/ipa/json failed request, will retry: > 4205 (attribute "entryuuid" not allowed).) > 2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310 > 2021-09-08T11:33:11Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", > line 398, in __setup_ssl > certmonger.request_and_wait_for_cert(**args) > File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line > 414, in request_and_wait_for_cert > raise RuntimeError( > RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at > https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line > 635, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line > 621, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", > line 402, in __setup_ssl > certmonger.request_and_wait_for_cert(**args) > File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line > 414, in request_and_wait_for_cert > raise RuntimeError( > RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at > https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > > 2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance > failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed > request, will retry: 4205 (attribute "entryuuid" not allowed).) > 2021-09-08T11:33:11Z DEBUG File > "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, > in run > return cfgr.run() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 360, in run > return self.execute() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 386, in execute > for rval in self._executor(): > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 421, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 655, in _configure > next(executor) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 431, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 460, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 518, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 515, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 450, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 421, in __runner > step() > File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line > 418, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise > raise value > File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line > 65, in _install > for unused in self._installer(self.parent): > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line > 608, in main > replica_install(self) > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 401, in decorated > func(installer) > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 1301, in install > install_http( > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", > line 163, in install_http > http.create_instance( > File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", > line 151, in create_instance > self.start_creation() > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line > 635, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line > 621, in run_step > method() > File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", > line 402, in __setup_ssl > certmonger.request_and_wait_for_cert(**args) > File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line > 414, in request_and_wait_for_cert > raise RuntimeError( > > 2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: > RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at > https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > 2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: > Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 > (attribute "entryuuid" not allowed).) > 2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > Made on a completely fresh deployed VM. > > > Yours, > Mathias > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure