Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4964

Failures have been seen during non-CA replica installation, frequently when certmonger is trying to retrieve certificates, getting CA_REJECTED

XMLWordPrintable

    • ipa-4.9.13-1.module+el8.10.0+20723+03062ebd
    • Normal
    • sst_idm_ipa
    • ssg_idm
    • 24
    • 26
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Bug Fix
    • Hide
      .Non-CA IdM replica installation no longer fails with server affinity configured

      In some scenarios, installing an IdM replica without a certificate authority (CA) failed with `CA_REJECTED` errors. The failure occurred due to the `certmonger` service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology.

      With this update, the IdM replica installation process happens against a specific IdM server that provides the necessary services such as Kerberos authentication and IdM API and CA requests. This ensures complete replication details when adding a new replica.
      Show
      .Non-CA IdM replica installation no longer fails with server affinity configured In some scenarios, installing an IdM replica without a certificate authority (CA) failed with `CA_REJECTED` errors. The failure occurred due to the `certmonger` service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology. With this update, the IdM replica installation process happens against a specific IdM server that provides the necessary services such as Kerberos authentication and IdM API and CA requests. This ensures complete replication details when adding a new replica.
    • Done

      Description of problem:
      When attempting to install a RHEL 8 Replica from a RHEL 8 master, get an error when trying to issue GSS error stating that the credentials cache is empty and there's insufficient access to issue the certificate.

      Version-Release number of selected component (if applicable):
      We could see it present in a migration process (rhel7 + Rhel8)
      =================================================================

      How reproducible:
      The command that is being run is either ipa-replica-install --setup-ca --setup-dns --ssh-trust-dns --no-forwarders --auto-reverse --allow-zone-overlap or ipa-replica-install --setup-dns --ssh-trust-dns --no-forwarders --auto-reverse --allow-zone-overlap.
      =================================================================

      Actual results:
      [ERRORS]
      2022-11-02T20:48:23Z DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO'
      2022-11-02T20:48:23Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
      2022-11-02T20:48:24Z DEBUG certmonger request is in state 'READING_KEYINFO'
      2022-11-02T20:48:24Z DEBUG certmonger request is in state 'GENERATING_CSR'
      2022-11-02T20:48:25Z DEBUG certmonger request is in state 'CA_REJECTED'
      2022-11-02T20:48:25Z DEBUG Cert request 20221102204822 failed: CA_REJECTED (Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)
      2022-11-02T20:48:25Z DEBUG Giving up on cert request 20221102204822
      2022-11-02T20:48:25Z DEBUG Traceback (most recent call last):
      File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
      run_step(full_msg, method)
      File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
      method()
      File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 867, in __enable_ssl
      resubmit_timeout=api.env.certmonger_wait_timeout
      File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 415, in request_and_wait_for_cert
      "Certificate issuance failed ({}: {})".format(state, ca_error)
      RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)

      2022-11-02T20:48:25Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)

      Additional info:

            rhn-engineering-rcrit Rob Crittenden
            ciolivei Cilmar Oliveira (Inactive)
            Rob Crittenden Rob Crittenden
            Sudhir Menon Sudhir Menon
            Dominika Borges Dominika Borges
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: