Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is
still Fedora 33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json
failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Log files:
2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf'
doesn't exist
2021-09-08T11:33:07Z DEBUG Backing up system configuration file
'/etc/httpd/conf.d/ipa-rewrite.conf'
2021-09-08T11:33:07Z DEBUG -> Not backing up -
'/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
2021-09-08T11:33:07Z DEBUG raw:
service_add('HTTP/idm02.example....@example.com', force=True, version='2.242')
2021-09-08T11:33:07Z DEBUG
service_add(ipapython.kerberos.Principal('HTTP/idm02.example....@example.com'),
force=True, skip_host_check=False, all=False, raw=False, version='2.242',
no_members=False)
2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket
from SchemaCache
2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket
conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160>
2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242')
2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False,
all=False, raw=False, version='2.242', no_members=False)
2021-09-08T11:33:08Z DEBUG Backing up system configuration file
'/var/lib/ipa/gssproxy/http.keytab'
2021-09-08T11:33:08Z DEBUG -> Not backing up -
'/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-09-08T11:33:08Z DEBUG Starting external process
2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k',
'/var/lib/ipa/gssproxy/http.keytab', '-p',
'HTTP/idm02.example....@example.com', '-H',
'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
2021-09-08T11:33:08Z DEBUG Process finished, return code=0
2021-09-08T11:33:08Z DEBUG stdout=
2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in:
/var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication
(ldap://idm01.example.com:389)
krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at
(objectclass=*)
2021-09-08T11:33:09Z DEBUG Entry found
[LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example....@example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'),
{'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName':
[b'HTTP/idm02.example....@example.com'], 'objectClass': [b'krbprincipal',
b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice',
b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy':
[b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'],
'ipaKrbPrincipalAlias': [b'HTTP/idm02.example....@example.com'],
'krbPrincipalName': [b'HTTP/idm02.example....@example.com'], 'ipaUniqueID':
[b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon',
'/etc/gssproxy/10-ipa.conf']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active',
'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 398, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry:
4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342,
in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in
<lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in
<lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line
65, in _install
for unused in self._installer(self.parent):
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line
608, in main
replica_install(self)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 1301, in install
install_http(
File
"/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py",
line 163, in install_http
http.create_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 151, in create_instance
self.start_creation()
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py",
line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line
414, in request_and_wait_for_cert
raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at
https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute
"entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours,
Mathias
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure