search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
344 stars 133 forks source link

IPA KRA install fails on a replica (@pki/master) #4773

Open flo-renaud opened 3 weeks ago

flo-renaud commented 3 weeks ago

The installation of a KRA instance on a replica fails when the @pki/master copr repository is enabled.

Reproducer: On both machines, enable @pki/master and @freeipa/freeipa-master-nightly, update all packages with updates-testing enabled.

  1. install IPA server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders --setup-kra -a Secret123 -p Secret123 -U
  2. install IPA replica with ipa-replica-install --setup-ca --setup-kra --principal admin --password Secret123 --domain ipa.test --realm IPA.TEST --server server.ipa.test -U

The replica installation fails in the step configuring the KRA.

The error can be seen in FreeIPA nightly tests, for instance in PR #3720 with the test test_installation_TestInstallWithCA_KRA1. Link to report and to logs ipaserver-kra-install.log shows that the call to pkispawn -s KRA fails when calling pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf -U https://master.ipa.test:443 --ignore-banner kra-range-request serialNo --install-token /tmp/tmplrj56ee6/install-token --output-format json --debug

Note that the installation uses serial number ranges.

Version: dogtag-pki-server-11.6.0-0.1.alpha1.20240605143450UTC.4d8bbec5.fc39.noarch dogtag-jss-5.6.0-0.1.alpha1.20240523101440UTC.0da84f41.fc39.x86_64

edewata commented 2 weeks ago

@fmarco76 This might be related to VLV removal. See this log: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/789ea2a2-234e-11ef-bc55-fa163e234302/test_integration-test_installation.py-TestInstallWithCA_KRA1-test_replica0_ipa_kra_install/master.ipa.test/var/log/pki/pki-tomcat/kra/debug.2024-06-05.log.gz

2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Authorizing request
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: AAclAuthz: Granting modify permission for certServer.clone.configuration.UpdateNumberRange
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Type: serialNo
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Getting serialNo repository
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: dbs.endSerialNumber: 268435456
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: dbs.serialCloneTransferNumber: 65536
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: UpdateNumberRange: Begin number: 268369921
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Repository: Getting last serial number in range 1..268435456
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession.continuousPagedSearch(): Searching ou=keyRepository, ou=kra,o=kra,o=ipaca  for (serialno<=09268435456)
2024-06-05 15:50:42 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession.continuousPagedSearch(): Searching ou=keyRepository, ou=kra,o=kra,o=ipaca  for (serialno<=09268435456)

There's no stack trace so it's difficult to say where exactly it's failing.

fmarco76 commented 2 weeks ago

@edewata It is possible but only with this log it is difficult. I'll try to replicate the scenario. @flo-renaud Is it possible to increase the log verbosity of pki subsystems during the installation with ipa?