Replica with CA fails - "Cannot obtain CA certificate\nHTTP certificate download requires --force"

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA

GNU General Public License v3.0

491 stars 232 forks source link

Replica with CA fails - "Cannot obtain CA certificate\nHTTP certificate download requires --force" #474

Open purefield opened 3 years ago

purefield commented 3 years ago

When trying to install a replica installation succeeds. However with ipareplica_setup_ca (see config below) the install fails with:

TASK [ipaclient : Install - Join IPA] *** fatal: [xpa-ipa01.dc.example.com]: FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"}

[ipaserver] xpa-ipa00.dc.example.com

[ipareplicas] xpa-ipa01.dc.example.com

[ipaserver:vars] ipaserver_domain=example.com ipaserver_realm=EXAMPLE.COM ipaserver_setup_dns=no ipaadmin_password=xxx ipadm_password=xxx

[ipareplicas:vars] ipareplica_domain=example.com ipaadmin_principal=admin ipaadmin_password=xxx ipadm_password=xxx ipaclient_force_join=yes ipareplica_setup_ca=true

sangdrax8 commented 3 years ago

I am seeing the same error, but I get it with out specifying ipareplica_setup_ca. I have tried with a few different versions of Ansible (2.8, 2.9, 2.10) and nothing works. Anyone else have some insight to what is causing this?

jstaf commented 3 years ago

You need to set ipareplica_servers with the fully-qualified hostname of the server to build from (needs to be in /etc/hosts for the master and replica):

ipareplica_servers:
  - ipamaster.example.local

purefield commented 3 years ago

@jstaf thanks for the info. It has been some time since I last ran it. Now the error shifted to: AttributeError: Env object has no attribute realm Found an article about adding the ipareplica_domain and ipareplica_realm without change.

jstaf commented 3 years ago

Unfortunately you need to totally destroy and recreate the replica server before re-running the playbook. I'm guessing there are some config files left around from the first time, which makes it so the second run is not clean, even when things are set correctly. Yes, this is inconvenient, I know.

purefield commented 3 years ago

@jstaf, this helped, thank you. However now I am getting the next error. ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ipa-getkeytab', '-k', '/etc/dirsrv/ds.keytab', '-p', 'ldap/xpa-ipa01.ola.example.com@EXAMPLE.COM', '-H', 'ldaps://xpa-ipa00.ola.example.com'] returned non-zero exit status 9: 'Failed to parse result: Insufficient access rights\n\nRetrying with pre-4.0 keytab retrieval method...\nFailed to parse result: Insufficient access rights\n\nFailed to get keytab!\nFailed to get keytab\n')

FF186 commented 7 months ago

I'm introducing a new replica server to existing setup, so I get following error when I try to install the new replica:

            "realm": "EXAMPLE.COM",
            "servers": [
                "192.168.1.100",
                "192.168.1.101"
            ]
        }
    },
    "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"

What I've done is to add the existing replica together with the master in the variable ipareplica_servers: ["master1.example.com", "replica1.example.com"], and I'm trying to install replica2.example.com. However, if I remove replica1 from the variable this will work, but now I'll be stuck with following topology if I'm not mistaken:

repl;ica1 <---> master <---> replica2

When I want:

replica1 <---> master <---> replica2
      ^---------------------------^