freeipa

Clone
Source Code
GIT

#6575 ipa-replica-install fails on requesting DS cert when master is not configured with IPv6
Closed: Fixed None Opened 7 years ago by pvoborni.

Closed: Fixed
Reopen Issue

This is expected behavior but hard to debug.

Issue happens if IPv6 is disabled and when master misses following line

/etc/hosts
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

If that happens PKI doesn't listen on port 8009 and thus requests from certmonger fails with CA_UNREACHABLE.

Question: how to mitigate/detect/fix this issue?

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1398600 (Red Hat Enterprise Linux 7)

Usual symptom of this bug is following failure:

[root@ipa ~]# ipa-replica-install --mkhomedir --no-ssh --no-sshd --no-ntp
Run connection check to master
Connection check OK
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1). See the installation log for details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    [Errno 111] Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Root cause is not-reported failure in step "[27/44]: retrieving DS Certificate"

Reporting of the failure was fixed in bug #6514

master:

  • eaa87c7 Do not configure PKI ajp redirection to use "::1"

Leaving opened until ipa-4-4 commit is pushed

ipa-4-4:

  • 4a30e9d Do not configure PKI ajp redirection to use "::1"

Workaround:

  • enabling ipv6 in all the nodes.

  • adding the line to /etc/hosts

    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

or even by replacing in server.xml

<Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />

by

<Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="localhost" />

Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4.4
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
defect
None
None
IPA
None
https://github.com/freeipa/freeipa/pull/395
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1398600
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.