[Freeipa-users] ipa-ca-install fails

Thu, 23 Jul 2020 06:16:34 -0700 

Hi,

I have successfully created a replica from a 4.2.4 master (ipa01) into a
new 4.6.6 master (ipa02).

I did it without --setup-ca option (because it had failed), so the only CA
is still on the 4.2.4 server (ipa01).

When I try to setup theCA on ipa02 (the same replica file was used with
ipa-replica-install), this fails:

$ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg
Directory Manager (existing master) password:

Run connection check to master

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.

The log of conncheck (generated by ipa-ca-install) is in attachment. In
there, I can see a couple of things going wrong:

ProtocolError: <ProtocolError for ipa01.hq.spinque.com/ipa/session/json:
500 Internal Server Error>
...
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with following
error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"

Not sure if relevant, but also ipa-replica-install, though it completed
successfully, gave this error:

Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
ipaserver.install.ldapupdate: ERROR    Add failure attribute "cn" not
allowed
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server


Could you please help me find the issue?

2020-07-23T12:20:49Z DEBUG /usr/sbin/ipa-replica-conncheck was invoked with options: {'realm': 'HQ.SPINQUE.COM', 'log_to_file': True, 'hostname': 'ipa02.hq.spinque.com', 'quiet': False, 'kdc': None, 'replica': None, 'master': 'ipa01.hq.spinque.com', 'auto_master_check': True, 'debug': False, 'ca_cert_file': '/tmp/tmpmawFlLipa/realm_info/ca.crt', 'check_ca': False, 'principal': None}
2020-07-23T12:20:49Z DEBUG missing options might be asked for interactively later

2020-07-23T12:20:49Z DEBUG IPA version 4.6.6-11.el7.centos
2020-07-23T12:20:49Z INFO Check connection from replica to remote master 'ipa01.hq.spinque.com':
2020-07-23T12:20:49Z INFO    Directory Service: Unsecure port (389): OK
2020-07-23T12:20:49Z INFO    Directory Service: Secure port (636): OK
2020-07-23T12:20:49Z INFO    Kerberos KDC: TCP (88): OK
2020-07-23T12:20:49Z INFO    Kerberos Kpasswd: TCP (464): OK
2020-07-23T12:20:49Z INFO    HTTP Server: Unsecure port (80): OK
2020-07-23T12:20:49Z INFO    HTTP Server: Secure port (443): OK
2020-07-23T12:20:49Z INFO 
The following list of ports use UDP protocoland would need to be
checked manually:
2020-07-23T12:20:49Z INFO    Kerberos KDC: UDP (88): SKIPPED
2020-07-23T12:20:49Z INFO    Kerberos Kpasswd: UDP (464): SKIPPED
2020-07-23T12:20:49Z INFO 
Connection from replica to master is OK.
2020-07-23T12:20:49Z INFO Start listening on required ports for remote master check
2020-07-23T12:20:49Z DEBUG Starting listening thread.
2020-07-23T12:20:49Z DEBUG Original thread stopped
2020-07-23T12:20:49Z WARNING 389 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 636 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 88 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 88 udp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 464 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 464 udp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 80 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z WARNING 443 tcp: Failed to bind
2020-07-23T12:20:49Z DEBUG Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 341, in _bind_to_port
    sock.bind((host, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 98] Address already in use

2020-07-23T12:20:49Z DEBUG Ports opened, notify original thread
2020-07-23T12:20:49Z DEBUG Original thread resumed
2020-07-23T12:20:49Z INFO Get credentials to log in to remote master
2020-07-23T12:20:49Z DEBUG KRB5CCNAME set to None
2020-07-23T12:20:49Z INFO Check RPC connection to remote master
2020-07-23T12:20:49Z DEBUG Starting external process
2020-07-23T12:20:49Z DEBUG args=/usr/bin/certutil -d dbm:/tmp/tmpEZoMbT -N -f /tmp/tmpEZoMbT/pwdfile.txt -f /tmp/tmpEZoMbT/pwdfile.txt
2020-07-23T12:20:49Z DEBUG Process finished, return code=0
2020-07-23T12:20:49Z DEBUG stdout=
2020-07-23T12:20:49Z DEBUG stderr=
2020-07-23T12:20:49Z DEBUG Starting external process
2020-07-23T12:20:49Z DEBUG args=/usr/bin/certutil -d dbm:/tmp/tmpEZoMbT -A -n CN=Certificate Authority,O=HQ.SPINQUE.COM -t C,, -a -f /tmp/tmpEZoMbT/pwdfile.txt
2020-07-23T12:20:49Z DEBUG Process finished, return code=0
2020-07-23T12:20:49Z DEBUG stdout=
2020-07-23T12:20:49Z DEBUG stderr=
2020-07-23T12:20:49Z DEBUG importing all plugin modules in ipaclient.remote_plugins.2_156...
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.aci
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.automember
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.automount
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.batch
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.caacl
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.cert
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.certprofile
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.config
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.delegation
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.dns
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.domainlevel
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.group
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.hbacrule
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.hbacsvc
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.hbacsvcgroup
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.hbactest
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.host
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.hostgroup
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.idrange
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.idviews
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.internal
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.join
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.krbtpolicy
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.migration
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.misc
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.netgroup
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.otpconfig
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.otptoken
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.otptoken_yubikey
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.passwd
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.permission
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.ping
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.pkinit
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.privilege
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.pwpolicy
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.radiusproxy
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.realmdomains
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.role
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.selfservice
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.selinuxusermap
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.server
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.service
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.servicedelegation
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.session
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.stageuser
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.sudocmd
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.sudocmdgroup
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.sudorule
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.topology
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.trust
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.user
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.remote_plugins.2_156.vault
2020-07-23T12:20:49Z DEBUG importing all plugin modules in ipaclient.plugins...
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.automember
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.automount
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.ca
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.cert
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.certmap
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.certprofile
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.csrgen
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.dns
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.hbacrule
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.hbactest
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.host
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.idrange
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.internal
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.location
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.migration
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.misc
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.otptoken
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.otptoken_yubikey
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.passwd
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.permission
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.rpcclient
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.server
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.service
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.sudorule
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.topology
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.trust
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.user
2020-07-23T12:20:49Z DEBUG importing plugin module ipaclient.plugins.vault
2020-07-23T12:20:50Z DEBUG found session_cookie in persistent storage for principal '[email protected]', cookie: 'ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d'
2020-07-23T12:20:50Z DEBUG setting session_cookie into context 'ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;'
2020-07-23T12:20:50Z INFO trying https://ipa01.hq.spinque.com/ipa/session/json
2020-07-23T12:20:50Z DEBUG New HTTP connection (ipa01.hq.spinque.com)
2020-07-23T12:20:50Z DEBUG HTTP connection destroyed (ipa01.hq.spinque.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 732, in single_request
    response.msg)
ProtocolError: <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
2020-07-23T12:20:50Z INFO Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
2020-07-23T12:20:50Z INFO trying https://ipa02.hq.spinque.com/ipa/session/json
2020-07-23T12:20:50Z DEBUG New HTTP connection (ipa02.hq.spinque.com)
2020-07-23T12:20:50Z DEBUG received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;path=/ipa;httponly;secure;']'
2020-07-23T12:20:50Z DEBUG storing cookie 'ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;' for principal [email protected]
2020-07-23T12:20:50Z DEBUG Created connection context.rpcclient_139909836977872
2020-07-23T12:20:50Z DEBUG raw: ping(version=u'2.156')
2020-07-23T12:20:50Z DEBUG ping(version=u'2.156')
2020-07-23T12:20:50Z INFO [try 1]: Forwarding 'ping' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
2020-07-23T12:20:50Z DEBUG HTTP connection keep-alive (ipa02.hq.spinque.com)
2020-07-23T12:20:50Z DEBUG received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;path=/ipa;httponly;secure;']'
2020-07-23T12:20:50Z DEBUG storing cookie 'ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;' for principal [email protected]
2020-07-23T12:20:50Z INFO Execute check on remote master
2020-07-23T12:20:50Z INFO [try 1]: Forwarding 'server_conncheck' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
2020-07-23T12:20:50Z DEBUG HTTP connection keep-alive (ipa02.hq.spinque.com)
2020-07-23T12:20:50Z DEBUG received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;path=/ipa;httponly;secure;']'
2020-07-23T12:20:50Z DEBUG storing cookie 'ipa_session=MagBearerToken=udHv8aR5hvqhfbz%2bI1FtewXIUUmKwmQbBdZGNB89CHK15OwLbCN3W0Kqvow5AhzgvUiEVoe%2bF3q5QnO1WdVYGkrtjOAq3VjvRlz%2f8cLSP0vja6HZPoB0m5N0cUCxapx0KJAWF%2flfMyxyERmQ3Vk54hI32OJdsqhJC5YotYxuu2RImIXY%2fScL0htW7rJ4vkhwCZcoTzxupVZGfmasJsmLFA%3d%3d;' for principal [email protected]
2020-07-23T12:20:50Z DEBUG Destroyed connection context.rpcclient_139909836977872
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"
2020-07-23T12:20:50Z DEBUG Stopping listening thread.


2020-07-23T12:20:23Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_ca_profile': None, 'subject_base': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_subject': None, 'ca_signing_algorithm': None, 'debug': False, 'external_ca': False, 'skip_conncheck': False, 'external_cert_files': None},replica-info-ipa02.hq.spinque.com.gpg
2020-07-23T12:20:23Z DEBUG IPA version 4.6.6-11.el7.centos
2020-07-23T12:20:23Z DEBUG importing all plugin modules in ipaserver.plugins...
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.aci
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.automember
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.automount
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.baseldap
2020-07-23T12:20:23Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.baseuser
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.batch
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.ca
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.caacl
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.cert
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.certmap
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.certprofile
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.config
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.delegation
2020-07-23T12:20:23Z DEBUG importing plugin module ipaserver.plugins.dns
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.dnsserver
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.dogtag
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.domainlevel
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.group
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hbac
2020-07-23T12:20:24Z DEBUG ipaserver.plugins.hbac is not a valid plugin module
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hbacrule
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hbactest
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.host
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.hostgroup
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.idrange
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.idviews
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.internal
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.join
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.ldap2
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.location
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.migration
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.misc
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.netgroup
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.otp
2020-07-23T12:20:24Z DEBUG ipaserver.plugins.otp is not a valid plugin module
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.otpconfig
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.otptoken
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.passwd
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.permission
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.ping
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.pkinit
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.privilege
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.pwpolicy
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.rabase
2020-07-23T12:20:24Z DEBUG ipaserver.plugins.rabase is not a valid plugin module
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.radiusproxy
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.realmdomains
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.role
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.schema
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.selfservice
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.server
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.serverrole
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.serverroles
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.service
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.servicedelegation
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.session
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.stageuser
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.sudo
2020-07-23T12:20:24Z DEBUG ipaserver.plugins.sudo is not a valid plugin module
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.sudocmd
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.sudorule
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.topology
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.trust
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.user
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.vault
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.virtual
2020-07-23T12:20:24Z DEBUG ipaserver.plugins.virtual is not a valid plugin module
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.whoami
2020-07-23T12:20:24Z DEBUG importing plugin module ipaserver.plugins.xmlserver
2020-07-23T12:20:25Z DEBUG Created connection context.ldap2_140449064881552
2020-07-23T12:20:25Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HQ-SPINQUE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbcd8199170>
2020-07-23T12:20:25Z DEBUG KRB5CCNAME set to None
2020-07-23T12:20:34Z DEBUG Initializing principal host/[email protected] using keytab /etc/krb5.keytab
2020-07-23T12:20:34Z DEBUG using ccache /tmp/tmp-4R5VI4/ccache
2020-07-23T12:20:34Z DEBUG Attempt 1/1: success
2020-07-23T12:20:34Z DEBUG raw: ca_is_enabled(version=u'2.107')
2020-07-23T12:20:34Z DEBUG ca_is_enabled(version=u'2.107')
2020-07-23T12:20:34Z DEBUG retrieving schema for SchemaCache url=ldap://ipa02.hq.spinque.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbcd7073908>
2020-07-23T12:20:34Z DEBUG raw: ca_find(None, version=u'2.231')
2020-07-23T12:20:34Z DEBUG ca_find(None, all=False, raw=False, version=u'2.231', pkey_only=False)
2020-07-23T12:20:34Z DEBUG raw: ca_is_enabled(version=u'2.231')
2020-07-23T12:20:34Z DEBUG ca_is_enabled(version=u'2.231')
2020-07-23T12:20:34Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2020-07-23T12:20:34Z DEBUG Starting external process
2020-07-23T12:20:34Z DEBUG args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-HQ-SPINQUE-COM -A -n HQ.SPINQUE.COM IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-HQ-SPINQUE-COM/pwdfile.txt
2020-07-23T12:20:34Z DEBUG Process finished, return code=0
2020-07-23T12:20:34Z DEBUG stdout=
2020-07-23T12:20:34Z DEBUG stderr=
2020-07-23T12:20:34Z DEBUG Starting external process
2020-07-23T12:20:34Z DEBUG args=/bin/systemctl is-active [email protected]
2020-07-23T12:20:34Z DEBUG Process finished, return code=0
2020-07-23T12:20:34Z DEBUG stdout=active

2020-07-23T12:20:34Z DEBUG stderr=
2020-07-23T12:20:34Z DEBUG Starting external process
2020-07-23T12:20:34Z DEBUG args=/bin/systemctl --system daemon-reload
2020-07-23T12:20:34Z DEBUG Process finished, return code=0
2020-07-23T12:20:34Z DEBUG stdout=
2020-07-23T12:20:34Z DEBUG stderr=
2020-07-23T12:20:34Z DEBUG Starting external process
2020-07-23T12:20:34Z DEBUG args=/bin/systemctl restart [email protected]
2020-07-23T12:20:44Z DEBUG Process finished, return code=0
2020-07-23T12:20:44Z DEBUG stdout=
2020-07-23T12:20:44Z DEBUG stderr=
2020-07-23T12:20:44Z DEBUG Starting external process
2020-07-23T12:20:44Z DEBUG args=/bin/systemctl is-active [email protected]
2020-07-23T12:20:44Z DEBUG Process finished, return code=0
2020-07-23T12:20:44Z DEBUG stdout=active

2020-07-23T12:20:44Z DEBUG stderr=
2020-07-23T12:20:44Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2020-07-23T12:20:44Z DEBUG waiting for port: 389
2020-07-23T12:20:44Z DEBUG SUCCESS: port: 389
2020-07-23T12:20:44Z DEBUG Restart of [email protected] complete
2020-07-23T12:20:44Z DEBUG Starting external process
2020-07-23T12:20:44Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n HQ.SPINQUE.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt
2020-07-23T12:20:44Z DEBUG Process finished, return code=0
2020-07-23T12:20:44Z DEBUG stdout=
2020-07-23T12:20:44Z DEBUG stderr=
2020-07-23T12:20:44Z DEBUG Starting external process
2020-07-23T12:20:44Z DEBUG args=/bin/systemctl is-active httpd.service
2020-07-23T12:20:44Z DEBUG Process finished, return code=0
2020-07-23T12:20:44Z DEBUG stdout=active

2020-07-23T12:20:44Z DEBUG stderr=
2020-07-23T12:20:44Z DEBUG Starting external process
2020-07-23T12:20:44Z DEBUG args=/bin/systemctl restart httpd.service
2020-07-23T12:20:46Z DEBUG Process finished, return code=0
2020-07-23T12:20:46Z DEBUG stdout=
2020-07-23T12:20:46Z DEBUG stderr=
2020-07-23T12:20:46Z DEBUG Starting external process
2020-07-23T12:20:46Z DEBUG args=/bin/systemctl is-active httpd.service
2020-07-23T12:20:46Z DEBUG Process finished, return code=0
2020-07-23T12:20:46Z DEBUG stdout=active

2020-07-23T12:20:46Z DEBUG stderr=
2020-07-23T12:20:46Z DEBUG Restart of httpd.service complete
2020-07-23T12:20:46Z DEBUG Starting external process
2020-07-23T12:20:46Z DEBUG args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n IPA CA -a -f /etc/ipa/nssdb/pwdfile.txt
2020-07-23T12:20:46Z DEBUG Process finished, return code=255
2020-07-23T12:20:46Z DEBUG stdout=
2020-07-23T12:20:46Z DEBUG stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

2020-07-23T12:20:46Z DEBUG Starting external process
2020-07-23T12:20:46Z DEBUG args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n External CA cert -a -f /etc/ipa/nssdb/pwdfile.txt
2020-07-23T12:20:46Z DEBUG Process finished, return code=255
2020-07-23T12:20:46Z DEBUG stdout=
2020-07-23T12:20:46Z DEBUG stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2020-07-23T12:20:46Z DEBUG Starting external process
2020-07-23T12:20:46Z DEBUG args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -A -n HQ.SPINQUE.COM IPA CA -t CT,C,C -a -f /etc/ipa/nssdb/pwdfile.txt
2020-07-23T12:20:46Z DEBUG Process finished, return code=0
2020-07-23T12:20:46Z DEBUG stdout=
2020-07-23T12:20:46Z DEBUG stderr=
2020-07-23T12:20:46Z DEBUG Starting external process
2020-07-23T12:20:46Z DEBUG args=/usr/bin/update-ca-trust
2020-07-23T12:20:47Z DEBUG Process finished, return code=0
2020-07-23T12:20:47Z DEBUG stdout=
2020-07-23T12:20:47Z DEBUG stderr=
2020-07-23T12:20:47Z INFO Systemwide CA database updated.
2020-07-23T12:20:47Z DEBUG Starting external process
2020-07-23T12:20:47Z DEBUG args=/usr/bin/update-ca-trust
2020-07-23T12:20:48Z DEBUG Process finished, return code=0
2020-07-23T12:20:48Z DEBUG stdout=
2020-07-23T12:20:48Z DEBUG stderr=
2020-07-23T12:20:48Z INFO Systemwide CA database updated.
2020-07-23T12:20:48Z DEBUG Destroyed connection context.ldap2_140449064881552
2020-07-23T12:20:48Z DEBUG Created connection context.ldap2_140449064881552
2020-07-23T12:20:48Z DEBUG Starting external process
2020-07-23T12:20:48Z DEBUG args=/usr/bin/gpg-agent --batch --homedir /tmp/tmpmawFlLipa/ipa-xFMMJ4/.gnupg --daemon /usr/bin/gpg --batch --homedir /tmp/tmpmawFlLipa/ipa-xFMMJ4/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpmawFlLipa/files.tar -d replica-info-ipa02.hq.spinque.com.gpg
2020-07-23T12:20:48Z DEBUG Process finished, return code=0
2020-07-23T12:20:48Z DEBUG Starting external process
2020-07-23T12:20:48Z DEBUG args=/bin/tar xf /tmp/tmpmawFlLipa/files.tar -C /tmp/tmpmawFlLipa
2020-07-23T12:20:48Z DEBUG Process finished, return code=0
2020-07-23T12:20:48Z DEBUG stdout=
2020-07-23T12:20:48Z DEBUG stderr=
2020-07-23T12:20:48Z DEBUG Installing replica file with version 40204 (0 means no version in prepared file).
2020-07-23T12:20:48Z DEBUG Check if ipa02.hq.spinque.com is a primary hostname for localhost
2020-07-23T12:20:48Z DEBUG Primary hostname for localhost: ipa02.hq.spinque.com
2020-07-23T12:20:48Z DEBUG Search DNS for ipa02.hq.spinque.com
2020-07-23T12:20:48Z DEBUG Check if ipa02.hq.spinque.com is not a CNAME
2020-07-23T12:20:48Z DEBUG Check reverse address of 192.168.0.44
2020-07-23T12:20:48Z DEBUG Found reverse name: ipa02.hq.spinque.com
2020-07-23T12:20:48Z DEBUG Starting external process
2020-07-23T12:20:48Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master ipa01.hq.spinque.com --auto-master-check --realm HQ.SPINQUE.COM --hostname ipa02.hq.spinque.com --ca-cert-file /tmp/tmpmawFlLipa/realm_info/ca.crt
2020-07-23T12:20:51Z DEBUG Process finished, return code=1
2020-07-23T12:20:51Z DEBUG stdout=
2020-07-23T12:20:51Z DEBUG stderr=Check connection from replica to remote master 'ipa01.hq.spinque.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocoland would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
389 tcp: Failed to bind
636 tcp: Failed to bind
88 tcp: Failed to bind
88 udp: Failed to bind
464 tcp: Failed to bind
464 udp: Failed to bind
80 tcp: Failed to bind
443 tcp: Failed to bind
Get credentials to log in to remote master
Check RPC connection to remote master
trying https://ipa01.hq.spinque.com/ipa/session/json
Connection to https://ipa01.hq.spinque.com/ipa/session/json failed with <ProtocolError for ipa01.hq.spinque.com/ipa/session/json: 500 Internal Server Error>
trying https://ipa02.hq.spinque.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
Execute check on remote master
[try 1]: Forwarding 'server_conncheck' to json server 'https://ipa02.hq.spinque.com/ipa/session/json'
ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"

2020-07-23T12:20:51Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1015, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 343, in main
    install(safe_options, options, filename)

  File "/usr/sbin/ipa-ca-install", line 281, in install
    install_replica(safe_options, options, filename)

  File "/usr/sbin/ipa-ca-install", line 229, in install_replica
    ca.install_check(True, config, options)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 165, in install_check
    principal=principal, ca_cert_file=options.ca_cert_file)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 127, in replica_conn_check
    "Connection check failed!"

2020-07-23T12:20:51Z DEBUG The ipa-ca-install command failed, exception: ScriptError: Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to