Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1398600
Description of problem: Fresh install of IPA server, when trying to make a replia of it, instllation fails at stage retrieving DS certificates from master server Version-Release number of selected component (if applicable): Rhel 7.3, IPA 4.4 [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate <------------ ** HERE error happened ** [28/44]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1). See the installation log for details. [29/44]: setting up initial replication [error] error: [Errno 111] Connection refused Log: 2016-11-25T08:04:57Z DEBUG stdout= 2016-11-25T08:04:57Z DEBUG stderr= 2016-11-25T08:04:57Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) 2016-11-25T08:05:02Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) <---- error which is not reported 2016-11-25T08:05:02Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE.socket from SchemaCache 2016-11-25T08:05:02Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7eaf440> 2016-11-25T08:05:03Z DEBUG duration: 5 seconds 2016-11-25T08:05:03Z DEBUG [28/44]: restarting directory server
When certmonger fails to get certificate installation continue and fails on next steps. we should stop installation and return proper error what happened
method CertDB.request_service_cert should raise an error when certmonger returns error state (CA_UNREACHABLE, CA_REJECTED, etc)
BTW: step 28 can be fixed too, because without running DS there is no way to success with replication, so instead of "CRITICAL and pass", should be "CRITICAL and stop installation"
In order to reproduce the issue:
master:
Metadata Update from @mbasti: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.