Open flo-renaud opened 3 weeks ago
@fmarco76 This might be related to VLV removal. See this log: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/789ea2a2-234e-11ef-bc55-fa163e234302/test_integration-test_installation.py-TestInstallWithCA_KRA1-test_replica0_ipa_kra_install/master.ipa.test/var/log/pki/pki-tomcat/kra/debug.2024-06-05.log.gz
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Authorizing request
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: AAclAuthz: Granting modify permission for certServer.clone.configuration.UpdateNumberRange
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Type: serialNo
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Getting serialNo repository
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: dbs.endSerialNumber: 268435456
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: dbs.serialCloneTransferNumber: 65536
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Begin number: 268369921
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Repository: Getting last serial number in range 1..268435456
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession.continuousPagedSearch(): Searching ou=keyRepository, ou=kra,o=kra,o=ipaca for (serialno<=09268435456)
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession.continuousPagedSearch(): Searching ou=keyRepository, ou=kra,o=kra,o=ipaca for (serialno<=09268435456)
There's no stack trace so it's difficult to say where exactly it's failing.
@edewata It is possible but only with this log it is difficult. I'll try to replicate the scenario. @flo-renaud Is it possible to increase the log verbosity of pki subsystems during the installation with ipa?
The installation of a KRA instance on a replica fails when the @pki/master copr repository is enabled.
Reproducer: On both machines, enable @pki/master and @freeipa/freeipa-master-nightly, update all packages with updates-testing enabled.
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders --setup-kra -a Secret123 -p Secret123 -U
ipa-replica-install --setup-ca --setup-kra --principal admin --password Secret123 --domain ipa.test --realm IPA.TEST --server server.ipa.test -U
The replica installation fails in the step configuring the KRA.
The error can be seen in FreeIPA nightly tests, for instance in PR #3720 with the test
test_installation_TestInstallWithCA_KRA1
. Link to report and to logs ipaserver-kra-install.log shows that the call to pkispawn -s KRA fails when callingpki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf -U https://master.ipa.test:443 --ignore-banner kra-range-request serialNo --install-token /tmp/tmplrj56ee6/install-token --output-format json --debug
Note that the installation uses serial number ranges.
Version: dogtag-pki-server-11.6.0-0.1.alpha1.20240605143450UTC.4d8bbec5.fc39.noarch dogtag-jss-5.6.0-0.1.alpha1.20240523101440UTC.0da84f41.fc39.x86_64