This errors happens when I run CI tests locally in vagrant. It happens often but not always.
I added extra debug print to code
<here dogtag should be ready, we tested return state via http> [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'Secret123', '--ip-address', '192.168.124.102', 'replica1.ipa.test'] [ipa.ipatests.test_integration.host.Host.master.cmd22] RUN ['ipa-replica-prepare', '-p', 'Secret123', '--ip-address', '192.168.124.102', 'replica1.ipa.test'] [ipa.ipatests.test_integration.host.Host.master.cmd22] Preparing replica for replica1.ipa.test from master.ipa.test [ipa.ipatests.test_integration.host.Host.master.cmd22] Creating SSL certificate for the Directory Server <following line contains error message from dogtag> [ipa.ipatests.test_integration.host.Host.master.cmd22] (200, u'OK', {'date': 'Tue, 06 Oct 2015 13:51:12 GMT', 'content-length': '148', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'}, '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>Profile caIPAserviceCert Not Found</Error></XMLResponse>') [ipa.ipatests.test_integration.host.Host.master.cmd22] Certificate issuance failed [ipa.ipatests.test_integration.host.Host.master.cmd22] Exit code: 1 ERROR
Dogtag returned error "Profile caIPAserviceCert Not Found"
When I ran replica install manually, it works. Also certprofile can be shown.
[root@master pki]# pki cert-request-profile-show caIPAserviceCert -------------------------------------------------- Enrollment Template for Profile "caIPAserviceCert" -------------------------------------------------- Profile ID: caIPAserviceCert Renewal: false Name: Certificate Request Input Class: certReqInputImpl Attribute Name: cert_request_type Attribute Description: Certificate Request Type Attribute Syntax: cert_request_type Attribute Name: cert_request Attribute Description: Certificate Request Attribute Syntax: cert_request Name: Requestor Information Class: submitterInfoInputImpl Attribute Name: requestor_name Attribute Description: Requestor Name Attribute Syntax: string Attribute Name: requestor_email Attribute Description: Requestor Email Attribute Syntax: string Attribute Name: requestor_phone Attribute Description: Requestor Phone Attribute Syntax: string
I tried to wait 20sec before replica prepare is executed, but it does not help.
Reproducible on both pki-ca-10.2.6, pki-ca-10.2.7 I did not test older versions
This bug occasionally appears when running {{{ipa-replica-prepare}}} manually. A workaround is to run the command in verbose mode, it seems that in this case the execution slows down enough for Dogtag to catch up and successfuly complete the request.
assigning to Fraser, the information above suggests an issue/inconsistency in Dogtag
mbasti: could you provide full /var/log/pki/pki-tomcat/ca/debug log for an occurance of this issue?
CA debug log caissuancefailed.ca.log
Attached debug log contains several installation/unisntallation until I was able to reproduce issue.
Test has been stopped after ipa-replica-prepare fail, so the end of log should not be messed with anything else.
Thanks Martin.
Log confirms my theory that loading of profiles is still going on (in another thread) and caIPAserviceCert not yet loaded when the certificate issuance is attempted.
PKI ticket is https://fedorahosted.org/pki/ticket/1702 and patch is already on list.
Thank you Fraser!
Has now been fixed in Dogtag:
https://fedorahosted.org/pki/ticket/1702#comment:10
Fix will be in Dogtag 10.3 and 10.2.7. Update freeipa spec accordingly on release.
Dogtag dependency has been bumped to 10.3.2; can CI-mongers confirm that the issue no longer occurs?
Resolving as fixed, because fix has been released in Dogtag and dependency has been bumped.
If this issue is still occurring, please reopen.
Metadata Update from @mbasti: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.