When installing DL1 replica, the certmonger request for DS certificate fails with CA_UNREACHABLE error crashing the whole installation:
[23/45]: configure new location for managed entries [24/45]: configure dirsrv ccache [25/45]: enabling SASL mapping fallback [26/45]: restarting directory server [27/45]: creating DS keytab [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Run /usr/sbin/ipa-server-install --uninstall to clean up.
Investigation of apache error logs on master reveals the root cause being an error during construction of Kerberos principal for the request which causes internal error:
[Sat Feb 04 00:24:18.298278 2017] [wsgi:error] [pid 22855] Traceback (most recent call last): 47 [Sat Feb 04 00:24:18.298282 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute 48 [Sat Feb 04 00:24:18.298286 2017] [wsgi:error] [pid 22855] result = command(*args, **options) 49 [Sat Feb 04 00:24:18.298289 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ 50 [Sat Feb 04 00:24:18.298292 2017] [wsgi:error] [pid 22855] return self.__do_call(*args, **options) 51 [Sat Feb 04 00:24:18.298295 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call 52 [Sat Feb 04 00:24:18.298298 2017] [wsgi:error] [pid 22855] ret = self.run(*args, **options) 53 [Sat Feb 04 00:24:18.298301 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run 54 [Sat Feb 04 00:24:18.298304 2017] [wsgi:error] [pid 22855] return self.execute(*args, **options) 55 [Sat Feb 04 00:24:18.298307 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 775, in execute 56 [Sat Feb 04 00:24:18.298310 2017] [wsgi:error] [pid 22855] gn.name, principal_obj): 57 [Sat Feb 04 00:24:18.298313 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 887, in _principal_name_matches_principal 58 [Sat Feb 04 00:24:18.298316 2017] [wsgi:error] [pid 22855] principal = kerberos.Principal(name) 59 [Sat Feb 04 00:24:18.298319 2017] [wsgi:error] [pid 22855] File "/usr/lib/python2.7/site-packages/ipapython/kerberos.py", line 72, in __init__ 60 [Sat Feb 04 00:24:18.298323 2017] [wsgi:error] [pid 22855] components) 61 [Sat Feb 04 00:24:18.298326 2017] [wsgi:error] [pid 22855] TypeError: Cannot create a principal object from bytes: 'ldap/replica.ipa.test@IPA.TEST'
This may be a regression caused by current Py3 porting effort so it would make sense to investigate ASAP.
Regression only in master branch
master:
Metadata Update from @mbabinsk: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.