Public bug reported: Brand new fresh install of FreeIPA on Ubuntu 19.10
This condition is not an issue when I build FreeIPA on RPM-based distros, so it's localized to Ubuntu builds. Install first server in IPA cluster. ========== # ipa --version VERSION: 4.8.1, API_VERSION: 2.233 Attempt to Setup first replica server fails: ===== Command Issued: ---------- ipa-replica-install -v -d --setup-ca --force-join --skip-conncheck (I have to supply '--skip-conncheck' because the ipa-replica-install command fails every single time when the conncheck is run, even if all firewall rules are completely disabled and the nodes are even located in the same subnet...but that's a separate issue to debug) Error on the node attempting to become replica: ========== The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found for url: https://ipa-1.ipa.XXX.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.WF6_JpSmLmD4hWxd0ZUneqFKH429f-oLZcolWrBQXXp-RvET-EcmSzoHmIEhB3Y1X8EH4ox0VEwePNFrUlikcyKnNpEaAQ9tGQBSqIJXxU5KACSB2JMmN60OYTRncV6_ImHrgeRpFuUcC_dweVnTtrvaaKUxpTcaJfBlPETqlJnbUuNJc5wS_1ig6OHhmuTANshTz4tsu8hYdRCCWccQVhvi9HbCvKBsY0KcCNMspZ9rAbeEGbuB9M9W5V-1D1e__r1ZUSOJfC_l75QTLL5hWMAgb-WYyDB9yXbClV_b5Fjc_WXPqqjCCZufHJkHZSAjvqLtacyhUJt0kf2XWUzJvA.JBLCYHxovRdYlL8Q5RuMWw.fiAXbi4f_YcsxAAAdygE5k_9cSdsBtW57tlUIumYQarVG2TV6Q7Bp5uhXq3Pyj7IfEXrhJm4OL0JMF85SZci73rOHKt-ksTH5ITBgXc4sNrtPTEMF01zxswsIys7rPTsmN9li0z3kerx4AjY9cvWRFmV9WR6wbhr7BA_qFdYCzYcsomXzcZxfVl20VIfwUXStrgZ-XiFq3v3cWNo_X_h9u2O2PgHsxFqo-K0fpmoYzuVDawNiTTI9K-oA3rXzvDRjvUDeYta625D7Zmqw2vHOgPNqeQqmBrIq024OV5oz0IWvvTPeMilUV_fy2eVHHNOrrBPZoL3NFilK-VGblx3ikFD_3wPTrxfc_1qdNF_m4U3X4c4RJ98V738bJzYPr35BKMUZ-L1GNafClQc7Gzhysrgnj6Z3JJ90T9ajXT2QYym0rHFKbaJFITLbkdkIerMtU38i8L19ZNQVFPrxxj9_9E3P-0PRL_0GxKjRSFFb5dM_5aXqw_J_06TbbQ7CKwtRO5Jmh-O4MpJfNDjdFtuqNRkyxmjiscRbvL0Nwb1rABfRUpuMNyzb3PXbLF0VY25vcnvOrp8fo3X81NZclQ-V1ZIoLhaPZ9Qqot4HDFjaDSnngkuCqABFv1JVvKKli-SLV1OIX8NvxN6MIT4fEuwQfvtSiQ4XQz_b0wYYN2OL8jgRjheCUUhuU52M5J4A8B3.2e1Ycq-0ebBSAUDSUXZHAoq7RzpDTcK5LAgmezM6Uio ========== After some slogging through logs, I found the following error on the brand new master explaining why a 404 was thrown when the replica was trying to pull keys: ========== Feb 03 17:53:23 ipa-1.ipa.XXX.com krb5kdc[15561]: closing down fd 12 Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleCredsAuth-[auth:simple] - PASS: '16490' authenticated as '33, 33' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleHeaderAuth-[auth:header] - PASS: '16490' authenticated as '(null)' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - IPAKEMKeys-[authz:kemkeys] - PASS: '16490' authorized for '/keys' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: Error retrieving key "keys/ca/caSigningCert cert-pki-ca": [Errno 2] No such file or directory: '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat': '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert cert-pki-ca' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - server - code 404, message Not Found ========== I was able to rectify the broken functionality by simply symlinking to the expected directory. ========== ln -s /usr/lib/ipa /usr/libexec/ipa ========== Upon symlinking all nodes to have the missing directory available, re-issuance of the ipa-replica-install succeeds. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1861755 Title: Freeipa functionality in wrong location on Ubuntu Status in freeipa package in Ubuntu: New Bug description: Brand new fresh install of FreeIPA on Ubuntu 19.10 This condition is not an issue when I build FreeIPA on RPM-based distros, so it's localized to Ubuntu builds. Install first server in IPA cluster. ========== # ipa --version VERSION: 4.8.1, API_VERSION: 2.233 Attempt to Setup first replica server fails: ===== Command Issued: ---------- ipa-replica-install -v -d --setup-ca --force-join --skip-conncheck (I have to supply '--skip-conncheck' because the ipa-replica-install command fails every single time when the conncheck is run, even if all firewall rules are completely disabled and the nodes are even located in the same subnet...but that's a separate issue to debug) Error on the node attempting to become replica: ========== The ipa-replica-install command failed, exception: HTTPError: 404 Client Error: Not Found for url: https://ipa-1.ipa.XXX.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.WF6_JpSmLmD4hWxd0ZUneqFKH429f-oLZcolWrBQXXp-RvET-EcmSzoHmIEhB3Y1X8EH4ox0VEwePNFrUlikcyKnNpEaAQ9tGQBSqIJXxU5KACSB2JMmN60OYTRncV6_ImHrgeRpFuUcC_dweVnTtrvaaKUxpTcaJfBlPETqlJnbUuNJc5wS_1ig6OHhmuTANshTz4tsu8hYdRCCWccQVhvi9HbCvKBsY0KcCNMspZ9rAbeEGbuB9M9W5V-1D1e__r1ZUSOJfC_l75QTLL5hWMAgb-WYyDB9yXbClV_b5Fjc_WXPqqjCCZufHJkHZSAjvqLtacyhUJt0kf2XWUzJvA.JBLCYHxovRdYlL8Q5RuMWw.fiAXbi4f_YcsxAAAdygE5k_9cSdsBtW57tlUIumYQarVG2TV6Q7Bp5uhXq3Pyj7IfEXrhJm4OL0JMF85SZci73rOHKt-ksTH5ITBgXc4sNrtPTEMF01zxswsIys7rPTsmN9li0z3kerx4AjY9cvWRFmV9WR6wbhr7BA_qFdYCzYcsomXzcZxfVl20VIfwUXStrgZ-XiFq3v3cWNo_X_h9u2O2PgHsxFqo-K0fpmoYzuVDawNiTTI9K-oA3rXzvDRjvUDeYta625D7Zmqw2vHOgPNqeQqmBrIq024OV5oz0IWvvTPeMilUV_fy2eVHHNOrrBPZoL3NFilK-VGblx3ikFD_3wPTrxfc_1qdNF_m4U3X4c4RJ98V738bJzYPr35BKMUZ-L1GNafClQc7Gzhysrgnj6Z3JJ90T9ajXT2QYym0rHFKbaJFITLbkdkIerMtU38i8L19ZNQVFPrxxj9_9E3P-0PRL_0GxKjRSFFb5dM_5aXqw_J_06TbbQ7CKwtRO5Jmh-O4MpJfNDjdFtuqNRkyxmjiscRbvL0Nwb1rABfRUpuMNyzb3PXbLF0VY25vcnvOrp8fo3X81NZclQ-V1ZIoLhaPZ9Qqot4HDFjaDSnngkuCqABFv1JVvKKli-SLV1OIX8NvxN6MIT4fEuwQfvtSiQ4XQz_b0wYYN2OL8jgRjheCUUhuU52M5J4A8B3.2e1Ycq-0ebBSAUDSUXZHAoq7RzpDTcK5LAgmezM6Uio ========== After some slogging through logs, I found the following error on the brand new master explaining why a 404 was thrown when the replica was trying to pull keys: ========== Feb 03 17:53:23 ipa-1.ipa.XXX.com krb5kdc[15561]: closing down fd 12 Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleCredsAuth-[auth:simple] - PASS: '16490' authenticated as '33, 33' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - SimpleHeaderAuth-[auth:header] - PASS: '16490' authenticated as '(null)' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - IPAKEMKeys-[authz:kemkeys] - PASS: '16490' authorized for '/keys' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: Error retrieving key "keys/ca/caSigningCert cert-pki-ca": [Errno 2] No such file or directory: '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat': '/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - Secrets-[/keys] - DENIED: '(null)' requested key 'ca/caSigningCert cert-pki-ca' Feb 03 17:53:24 ipa-1.ipa.XXX.com ipa-custodia[15594]: 2020-02-03 17:53:24 - server - code 404, message Not Found ========== I was able to rectify the broken functionality by simply symlinking to the expected directory. ========== ln -s /usr/lib/ipa /usr/libexec/ipa ========== Upon symlinking all nodes to have the missing directory available, re-issuance of the ipa-replica-install succeeds. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1861755/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
