[Freeipa-devel] [PATCH 031] RedHatCAService should wait for local Dogtag instance

Petr Spacek pspacek at redhat.com
Fri Jul 1 09:43:32 UTC 2016 

On 1.7.2016 11:17, Petr Spacek wrote:
> On 1.7.2016 11:04, Christian Heimes wrote:
>> On 2016-07-01 10:59, Petr Spacek wrote:
>>> On 1.7.2016 10:55, Christian Heimes wrote:
>>>> On 2016-07-01 10:48, Petr Spacek wrote:
>>>>> On 1.7.2016 10:42, Christian Heimes wrote:
>>>>>> RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
>>>>>> HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
>>>>>> returns OK. The ca_status() function defaults to api.env.ca_host as
>>>>>> host.
>>>>>>
>>>>>> On a replica without CA ca_host is a remote host (e.g. master's
>>>>>> FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
>>>>>> which might be blocked by a firewall.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/6016
>>>>>
>>>>> Interesting. How it happens that replica without CA is calling RedHatCAService?
>>>>>
>>>>> Also, why replica should be waiting for CA if it is not installed?
>>>>>
>>>>> I'm confused.
>>>>
>>>> There is a hint in the last sentence: ipa-ca-install
>>>>
>>>> The patch fixes ipa-ca-install on replicas. Right now ipa-ca-install
>>>> doesn't wait for the local Dogtag to come up but connects to a remote
>>>> Dogtag to check if it's up. It uses 8443 or 8080, which might be
>>>> blocked. In my test setup I have both ports blocked so ipa-ca-install
>>>> never succeeds.
>>>
>>> Oh, I missed that, thanks!
>>>
>>> Isn't the root cause that ipa.env.ca_host does not get updated during
>>> ipa-ca-install?
>>
>> Been there, tried it, didn't work:
>> https://fedorahosted.org/freeipa/ticket/6016#comment:1
> 
> I understand that it does not work right now but it does not mean that it is
> an actual problem in api.env :-)
> 
> Anyway, I'm testing your patch but I'm not sure we can get it into 4.4.0 as
> Petr^1 is about to push the RELEASE button any minute now.
> 
> Petr^2 Spacek
> 
>> It just doesn't make sense that RedHatCAService should ever check a
>> remote instance. The rest of the class is about the local systemd
>> service. As soon as we have sd_notify
>> https://fedorahosted.org/pki/ticket/1233 implemented, we can use systemd
>> to wait for Dogtag.

It seems to work but ipa-client-install blows up on certificate request.

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701093734':
        status: CA_UNREACHABLE
        ca-error: Server at
https://vm-058-082.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will
retry: 903 (RPC failed at server.  an internal error has occurred).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local
IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
host'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

error log on the server:

[Fri Jul 01 11:37:34.294677 2016] [wsgi:error] [pid 38273] ipa: INFO:
[jsonserver_kerb]
host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
host_mod(u'vm-046.abc.idm.lab.eng.brq.redhat.com', ipasshpubkey=(u'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCtrWFHeOF6UxI/DNdlLsUUazTpol2sRqQgbZplpkB9t/HUSjUHq0OY1mwaUfxvJp/E9yDmuHZgUgzKMSAdUf2apwFm5bw3T7qSdJ0Y7hC9vG0v6kLT0EaPuQmfJ8Rt4xOyva9htKbzkxs9Kr0ujB6V4u41ZZW2oevqtGunC2+aCxkQzd42we0c47ypxnvl8gGAa76CDXenGaChPKSfeEMddnhFvjGfkSyqjD+dCxBF+IyTRDPtt6f5iF80lfv/559rsKYlHdbbgv30i5C/F2DzaB011BmcQwK1eWSGWsEWVFtQKNMdahTl2IMgvZwHcaw8TMqgqqgZ7ZZ6lMR+UA8l',
u'ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHkoeGOzfQzqYOGQs2bdgL0jOBul+/eTBZ0HBM8HW3Wb5O15Fv3rt8jRp+xdSQcdG3DV5yPfjd66Fyz5hCTKS6s=',
u'ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIH5/uXvdJ1l+uTAk0rgbjKeTBx9HRWk7w+xJLHMt/yRx'),
updatedns=False, version=u'2.26'): SUCCESS
[Fri Jul 01 11:37:37.961175 2016] [wsgi:error] [pid 38272] ipa: ERROR:
non-public: ValueError: User name is defined only for user and enterprise
principals
[Fri Jul 01 11:37:37.961220 2016] [wsgi:error] [pid 38272] Traceback (most
recent call last):
[Fri Jul 01 11:37:37.961224 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in
wsgi_execute
[Fri Jul 01 11:37:37.961226 2016] [wsgi:error] [pid 38272]     result =
self.Command[name](*args, **options)
[Fri Jul 01 11:37:37.961229 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Jul 01 11:37:37.961259 2016] [wsgi:error] [pid 38272]     return
self.__do_call(*args, **options)
[Fri Jul 01 11:37:37.961262 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Jul 01 11:37:37.961265 2016] [wsgi:error] [pid 38272]     ret =
self.run(*args, **options)
[Fri Jul 01 11:37:37.961267 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Jul 01 11:37:37.961269 2016] [wsgi:error] [pid 38272]     return
self.execute(*args, **options)
[Fri Jul 01 11:37:37.961271 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 456, in execute
[Fri Jul 01 11:37:37.961274 2016] [wsgi:error] [pid 38272]
caacl_check(principal_type, principal, ca, profile_id)
[Fri Jul 01 11:37:37.961276 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 227, in
caacl_check
[Fri Jul 01 11:37:37.961278 2016] [wsgi:error] [pid 38272]     principal, ca,
profile_id):
[Fri Jul 01 11:37:37.961280 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 126, in
acl_evaluate
[Fri Jul 01 11:37:37.961283 2016] [wsgi:error] [pid 38272]     req =
_acl_make_request(principal_type, principal, ca_id, profile_id)
[Fri Jul 01 11:37:37.961285 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 68, in
_acl_make_request
[Fri Jul 01 11:37:37.961287 2016] [wsgi:error] [pid 38272]     req.user.name =
principal.username
[Fri Jul 01 11:37:37.961289 2016] [wsgi:error] [pid 38272]   File
"/usr/lib/python2.7/site-packages/ipapython/kerberos.py", line 169, in username
[Fri Jul 01 11:37:37.961292 2016] [wsgi:error] [pid 38272]     "User name is
defined only for user and enterprise principals")
[Fri Jul 01 11:37:37.961294 2016] [wsgi:error] [pid 38272] ValueError: User
name is defined only for user and enterprise principals
[Fri Jul 01 11:37:37.961656 2016] [wsgi:error] [pid 38272] ipa: INFO:
[xmlserver]
host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:
cert_request(u'MIIEDjCCAvYCAQAwZTEzMDEGA1UEChMqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NMS4wLAYDVQQDEyV2bS0wNDYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zWanFx8qhfuHDgCjkQxkNBx6PoHfc+xNdb2OBcPfcfHL9HMjRGmTWN+CRZ388C+qxaExYed6WfmB/pK+b2M3fOnz1SRBPqicnCERP3G4mg02sL8cH068FShJvJECxWZxhvMiy/I0l/gRef1CJhaMJ5XGGuhZrLn3+Cv1BEgQDajBFsaZVeWTmwvROTjTht95QLUp8r9laPlGDzYnCdaWQ/R6Z1y+Mdu3I5VmxYL8TsH3NTDHjPvkDuQfPcdGkWp9V06QMp7MZeX0DEhsG2jeQc309xbe3vaPNPWClUv9OQX9xDgdlKO3E6UZKKWjXNUpqErpSFC1PiFqsMbJ36J7QIDAQABoIIBYjArBgkqhkiG9w0BCRQxHh4cAEwAbwBjAGEAbAAgAEkAUABBACAAaABvAHMAdDCCATEGCSqGSIb3DQEJDjGCASIwggEeMIHrBgNVHREBAQAEgeAwgd2gZQYKKwYBBAGCNxQCA6BXDFVob3N0L3ZtLTA0Ni5hYmMuaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ARE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoHQGBisGAQUCAqBqMGigLBsqRE9NLTA1OC0wODIuQUJDLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NoTgwNqADAgEBoS8wLRsEaG9zdBsldm0tMDQ2LmFiYy5pZG0ubGFiLmVuZy5icnEucmVkaGF0LmNvbTAMBgNVHRMBAf8EAjAAMCAGA1UdDgEBAAQWBBQQxo41ZpwB24cjTd1cxY9eKbxNkTANBgkqhkiG9w0BAQsFAAOCAQEAERsZQANNrwiDBTEa0Kpif5DB/lfRjSedZpIL/mPPRUJnKus/9hV5gyUZcUQ+c2NEwvIApBJk0TeSIU0xj+dFOsqaN8iPj05XI5axEnBOqGdkHfjxSe96eR7WHCX8JJPdy5SMcoa1T3R6+4myq2/CWceTNcfxM4DdAY5kYvaePOPb13l3YUy9yB12QhDx+BBTNfmsmVxvGkySfegJcJMacQrbIk3AAoj3BklrTSQPqESBvqSVWT/yZE2HcQ6H2aLfeChdieYFsl/gPqCbLDKQA7gdK9Pv5w2dDzMGvpNne/1MCksu9MD9Ys9KvuugOjWNHciglO/kwF4ZJbfJsRqz0Q==',
principal=u'host/vm-046.abc.idm.lab.eng.brq.redhat.com at DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM',
add=True, version=u'2.51'): ValueError


I suspect that this is a regression caused by Kerberos aliases support but I'm
not going to ACK this until I can test it thoroughly.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list