During a review of PR https://github.com/freeipa/freeipa/pull/355 that fixes #6226 (which has to be fixed before it's possible to encounter this bug) I encountered the following issue.
After installing CA-less master and CA-less replica, install a CA on one of the servers. The installation should succeed. Afterwards, attempt to install CA on the other server. The installation will end with an error message "CA did not start in 300 seconds." Please note that it does not matter whether you first install the CA on master or replica - the first installation always succeeds, while the second one fails.
The relevant logs show that pki-tomcat fails to connect to LDAPS on port 636, which is actually running and listening for connections. There is probably an issue with the propagation of CA certificate to other servers during ipa-ca-install, because running ipa-certupdate seems to fix the problem.
/var/log/pki/pki-tomcat/ca/debug
[21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-058-045.example.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
/var/log/dirsrv/slapd-DOM-058-045-EXAMPLE-COM/access
[21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45 [21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES [21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
Metadata Update from @tkrizek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
ipa-certupdate is a necessary step. I guess it would make sense to perform it as the first step of the ipa-ca-install on the other replicas.
ipa-certupdate
ipa-ca-install
Metadata Update from @ftweedal: - Issue assigned to ftweedal (was: jcholast)
Metadata Update from @pvoborni: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1232
master:
ipa-4-6:
Currently, there is no expectation for another 4.5 release. This issue is fixed in 4.6, 4.7, and master, thus closing.
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.6 (was: FreeIPA 4.5.5) - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.