Issue #6514: replica install: request_service_cert doesn't raise error when certificate isuance failed - freeipa

freeipa

#6514 replica install: request_service_cert doesn't raise error when certificate isuance failed

Closed: Fixed None Opened 7 years ago by mbasti.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1398600

Description of problem:

Fresh install of IPA server, when trying to make a replia of it, instllation
fails at stage retrieving DS certificates from master server


Version-Release number of selected component (if applicable):
Rhel 7.3, IPA 4.4


  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate  <------------ ** HERE error happened **
  [28/44]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1). See the installation log for details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused


Log:
2016-11-25T08:04:57Z DEBUG stdout=
2016-11-25T08:04:57Z DEBUG stderr=
2016-11-25T08:04:57Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2016-11-25T08:05:02Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) <---- error which is not reported

2016-11-25T08:05:02Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE.socket from SchemaCache
2016-11-25T08:05:02Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7eaf440>
2016-11-25T08:05:03Z DEBUG   duration: 5 seconds
2016-11-25T08:05:03Z DEBUG   [28/44]: restarting directory server

When certmonger fails to get certificate installation continue and fails on next steps. we should stop installation and return proper error what happened

method CertDB.request_service_cert should raise an error when certmonger returns error state (CA_UNREACHABLE, CA_REJECTED, etc)

mbasti commented 7 years ago

BTW: step 28 can be fixed too, because without running DS there is no way to success with replication, so instead of "CRITICAL and pass", should be "CRITICAL and stop installation"

frenaud commented 7 years ago

In order to reproduce the issue:

install ipa server (domain-level 1)
on the replica, run ipa-client-install
stop dogtag on the server with systemctl stop pki-tomcatd@pki-tomcat.service
on the replica, run ipa-replica-install

mbasti commented 7 years ago

master:

dbb9876 Check the result of cert request in replica installer

Metadata Update from @mbasti:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata

Assignee

frenaud

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/285

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#6514 replica install: request_service_cert doesn't raise error when certificate isuance failed Closed: Fixed None Opened 7 years ago by mbasti.

Metadata

#6514 replica install: request_service_cert doesn't raise error when certificate isuance failed

Closed: Fixed None Opened 7 years ago by mbasti.