Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4964

Failures have been seen during non-CA replica installation, frequently when certmonger is trying to retrieve certificates, getting CA_REJECTED

XMLWordPrintable

    • ipa-4.9.13-1.module+el8.10.0+20723+03062ebd
    • None
    • Moderate
    • rhel-sst-idm-ipa
    • ssg_idm
    • 24
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .Non-CA IdM replica installation no longer fails with server affinity configured

      In some scenarios, installing an IdM replica without a certificate authority (CA) failed with `CA_REJECTED` errors. The failure occurred due to the `certmonger` service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology.

      With this update, the IdM replica installation process happens against a specific IdM server that provides the necessary services such as Kerberos authentication and IdM API and CA requests. This ensures complete replication details when adding a new replica.
      Show
      .Non-CA IdM replica installation no longer fails with server affinity configured In some scenarios, installing an IdM replica without a certificate authority (CA) failed with `CA_REJECTED` errors. The failure occurred due to the `certmonger` service attempting to retrieve certificates and resulted in incomplete replication details when adding a new replica to a complex topology. With this update, the IdM replica installation process happens against a specific IdM server that provides the necessary services such as Kerberos authentication and IdM API and CA requests. This ensures complete replication details when adding a new replica.
    • Done
    • None

      Description of problem:
      When attempting to install a RHEL 8 Replica from a RHEL 8 master, get an error when trying to issue GSS error stating that the credentials cache is empty and there's insufficient access to issue the certificate.

      Version-Release number of selected component (if applicable):
      We could see it present in a migration process (rhel7 + Rhel8)
      =================================================================

      How reproducible:
      The command that is being run is either ipa-replica-install --setup-ca --setup-dns --ssh-trust-dns --no-forwarders --auto-reverse --allow-zone-overlap or ipa-replica-install --setup-dns --ssh-trust-dns --no-forwarders --auto-reverse --allow-zone-overlap.
      =================================================================

      Actual results:
      [ERRORS]
      2022-11-02T20:48:23Z DEBUG certmonger request is in state 'NEWLY_ADDED_READING_KEYINFO'
      2022-11-02T20:48:23Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
      2022-11-02T20:48:24Z DEBUG certmonger request is in state 'READING_KEYINFO'
      2022-11-02T20:48:24Z DEBUG certmonger request is in state 'GENERATING_CSR'
      2022-11-02T20:48:25Z DEBUG certmonger request is in state 'CA_REJECTED'
      2022-11-02T20:48:25Z DEBUG Cert request 20221102204822 failed: CA_REJECTED (Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)
      2022-11-02T20:48:25Z DEBUG Giving up on cert request 20221102204822
      2022-11-02T20:48:25Z DEBUG Traceback (most recent call last):
      File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
      run_step(full_msg, method)
      File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
      method()
      File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 867, in __enable_ssl
      resubmit_timeout=api.env.certmonger_wait_timeout
      File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line 415, in request_and_wait_for_cert
      "Certificate issuance failed ({}: {})".format(state, ca_error)
      RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)

      2022-11-02T20:48:25Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://<master-server>/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)).)

      Additional info:

            [RHEL-4964] Failures have been seen during non-CA replica installation, frequently when certmonger is trying to retrieve certificates, getting CA_REJECTED

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:3044

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:3044

            Dominika Borges added a comment -

            Updated the release notes text with peer review feedback

            Dominika Borges added a comment - Updated the release notes text with peer review feedback

            Florence Renaud added a comment -

            Hi dvagnero@redhat.com 

            thanks for the release note text update, looks good to me.

            Florence Renaud added a comment - Hi dvagnero@redhat.com   thanks for the release note text update, looks good to me.

            Dominika Borges added a comment -

            Hi frenaud@redhat.com, thank you for the release note text. I made some updates, could you please review the release note text?

            Dominika Borges added a comment - Hi frenaud@redhat.com , thank you for the release note text. I made some updates, could you please review the release note text?

            Florence Renaud added a comment -

            Additional patches needed:

            master:
            https://pagure.io/freeipa/c/2a95a05f9e2b965d0a5f5946d59f614d8baea8e2

            ipa-4-11:
            https://pagure.io/freeipa/c/d2ffa10df62bba45aa63232d3ad9a5ebf7158eea

            ipa-4-10:
            https://pagure.io/freeipa/c/fdc27b255d39efc17123ace567d5e0a12a81dd37

            ipa-4-9:
            https://pagure.io/freeipa/c/3add9ba03a0af913d03b1f5ecaa8e48e46a93f91

             

            Florence Renaud added a comment - Additional patches needed: master: https://pagure.io/freeipa/c/2a95a05f9e2b965d0a5f5946d59f614d8baea8e2 ipa-4-11: https://pagure.io/freeipa/c/d2ffa10df62bba45aa63232d3ad9a5ebf7158eea ipa-4-10: https://pagure.io/freeipa/c/fdc27b255d39efc17123ace567d5e0a12a81dd37 ipa-4-9: https://pagure.io/freeipa/c/3add9ba03a0af913d03b1f5ecaa8e48e46a93f91  

            Anuja More added a comment -

            With the steps given in description issue is not reproduced in non-fixed version.
            Pre-verifying bug based on sanity test using test compose. with ipa-server-4.9.13-2.module+el8.10.0+20814+029c28d0.x86_64
            Test:[/ipa-server/rhel80/ipa-migration/root]: [ Pass(36/36): 100% ]

            Anuja More added a comment - With the steps given in description issue is not reproduced in non-fixed version. Pre-verifying bug based on sanity test using test compose. with ipa-server-4.9.13-2.module+el8.10.0+20814+029c28d0.x86_64 Test: [/ipa-server/rhel80/ipa-migration/root] : [ Pass(36/36): 100% ]

            pm-rhel added a comment -

            Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

            pm-rhel added a comment - Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

            Florence Renaud added a comment -

            Fixed upstream
            ipa-4-10:
            https://pagure.io/freeipa/c/08dad8f8d75b965eb7c113a5710b0b3519df41dc
            https://pagure.io/freeipa/c/74f664685a4e689f0fd42e253310425b97d6c4ea

            Florence Renaud added a comment - Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/08dad8f8d75b965eb7c113a5710b0b3519df41dc https://pagure.io/freeipa/c/74f664685a4e689f0fd42e253310425b97d6c4ea

            Florence Renaud added a comment -

            Fixed upstream
            ipa-4-11:
            https://pagure.io/freeipa/c/54a251bceaabfaf82d0a18b2614c261e2bded0c0
            https://pagure.io/freeipa/c/169f9abb6b9fdc11dc5d3e4ec8e6e9c3ef4dfd4f

            Florence Renaud added a comment - Fixed upstream ipa-4-11: https://pagure.io/freeipa/c/54a251bceaabfaf82d0a18b2614c261e2bded0c0 https://pagure.io/freeipa/c/169f9abb6b9fdc11dc5d3e4ec8e6e9c3ef4dfd4f

            Florence Renaud added a comment -

            Additional patch on master:
            https://pagure.io/freeipa/c/f248b22ef4d98293224b49576f5e6a1b8d672d76

            Fixed upstream
            ipa-4-9:
            https://pagure.io/freeipa/c/3af7747364d184c8ef5bad8ea1654b12c529727b
            https://pagure.io/freeipa/c/0cf6292f9c5d0cb31d57439e234a4e8640edc64f

            Florence Renaud added a comment - Additional patch on master: https://pagure.io/freeipa/c/f248b22ef4d98293224b49576f5e6a1b8d672d76 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/3af7747364d184c8ef5bad8ea1654b12c529727b https://pagure.io/freeipa/c/0cf6292f9c5d0cb31d57439e234a4e8640edc64f

              rhn-engineering-rcrit Rob Crittenden
              ciolivei Cilmar Oliveira (Inactive)
              Rob Crittenden Rob Crittenden
              Sudhir Menon Sudhir Menon
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: