freeipa

Clone
Source Code
GIT

#9679 ipa-replica-install --setup-kra java.lang.Exception: Too many arguments specified
Closed: worksforme 6 months ago by frenaud. Opened 6 months ago by zlopez.

Closed: worksforme
Reopen Issue

Issue

When trying to run ipa-replica-install in Fedora infra with --setup-kra I got the following error:

ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://ipa03.stg.iad2.fedoraproject.org:443', '--i
gnore-banner', 'ca-kraconnector-add', '--url', 'https://ipa03.stg.iad2.fedoraproject.org:8443/kra/agent/kra/connector', '--subsystem-cert', '/tmp/tmptiisv2cu/subsystem.crt', '--tra
nsport-cert', '/tmp/tmptiisv2cu/transport.crt', '--transport-nickname', 'transportCert cert-pki-kra', '--install-token', '/tmp/tmptiisv2cu/install-token', '--debug']' returned non-
zero exit status 255.

After looking further in the logs I found this:

java.lang.Exception: Too many arguments specified.
        at com.netscape.cmstools.system.KRAConnectorAddCLI.execute(KRAConnectorAddCLI.java:112)
        at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
        at org.dogtagpki.cli.CLI.execute(CLI.java:353)
        at org.dogtagpki.cli.CLI.execute(CLI.java:353)
        at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
        at org.dogtagpki.cli.CLI.execute(CLI.java:353)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)

The reason for trying to introduce KRA role in replica now is that ipa-backup is complaining about nodes having the different roles with master having CA, KRA and replica nodes only CA.

Steps to Reproduce

  1. On master node run ipa-server-install (see the whole command bellow)
  2. On master node run ipa-kra-install (see the whole command bellow)
  3. On replica node run ipa-replica-install (see the whole command bellow)

Actual behavior

The error mentioned above

Expected behavior

The replica is installed with roles CA,KRA

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

ipa-server-4.11.0-15.el9_4.x86_64
ipa-client-4.11.0-15.el9_4.x86_64
389-ds-base-2.4.5-9.el9_4.x86_64
krb5-server-1.21.1-2.el9_4.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

Here is the whole ipa-replica-install command that is being executed:

ipa-replica-install
             --setup-ca
             --setup-kra
             --admin-password={{ipa_admin_password}}
             --no-host-dns
             --mkhomedir
             --no-ntp
             --unattended
             --no-ssh
             --no-sshd
             --skip-conncheck
             --force-join
             --log-file=/var/log/ipainstall.log
             --domain=STG.FEDORAPROJECT.ORG
             --server=ipa01.stg.iad2.fedoraproject.org
             --dirsrv-config-file=/root/ldif/replica-install.ldif

The master node is installed by running:

ipa-server-install
           --realm=STG.FEDORAPROJECT.ORG
           --domain=STG.FEDORAPROJECT.ORG
           --ds-password={{ipa_dm_password}}
           --admin-password={{ipa_admin_password}}
           --mkhomedir
           --no-ntp
           --unattended
           --no-ssh
           --no-sshd
           --log-file=/var/log/ipainstall.log
           creates=/etc/ipa/default.conf

And the KRA is installed on master node by running:

ipa-kra-install
           --password={{ipa_dm_password}}
           --unattended
           --log-file=/var/log/ipakrainstall.log
           creates=/var/log/ipakrainstall.log

It's possible that this is caused something in our Fedora Infra setup, so for completion here is the role that is setting up the server.

ipa-backup is for catastrophic failures where the infrastructure is completely hosed. It is not for per-host restorations if something happened to that host.

ipa-backup is a run once tool which will kill all replication agreements and restore the data from the backup. This means all the other servers in the topology need to either be re-installed or at a minimum the DS and PKI replication agreements re-initialized. The restored host is now the only source of truth until the others are reset.

This is the reason it complains if not all optional services are installed: because they won't be restored and you'd lose data and configuration.

You also don't want a KRA everywhere, or a CA for that matter. They are considered heavy weight.

So as long as you have good offline storage for the backups in case of disk failure, you should be ok only backing up one or two IPA servers that have the full set of services configured, for redundancy.

The trick is to keep in mind that if servers are retired that happen to be your backup nodes to pick a new one.

Thanks for the explanation. So it's better to just backup only the master node which is being replicated?

I mean, I don't like single point of failures and it could be a nasty gotcha if someone forgets down the line that there "can be only one" and it gets replaced and you no longer have new backups. i guess what I'd recommend is backing up the server that acts as the renewal master, CRL generator, etc. So that one machine is "special".
But having a KRA only on one server also isn't optimal so backing up at least two, for safety, is what I'd recommend. Belt and suspenders.

I'm wondering if our setup is then correct. We have one server (ipa01) installed with ipa-server-install and two others (ipa02 and ipa03) that are installed with ipa-replica-install. And as I mentioned the ipa-replica-install failed with --setup-kra added. That means we have only one server with KRA role currently running.

Your install sounds pretty standard. The first server is always installed using ipa-server-install and subsequent ones added using ipa-replica-install.

It failed with java.lang.Exception: Too many arguments specified.

This is not a call that IPA makes but one done within the dogtag-provided pkispawn command. Are all of your packages up-to-date?

It seems that everything is up-to-date and the version is idm-pki-tools-11.5.0-2.el9_4.x86_64.

I tried to run the pki command again, just to check and it failed on the same error message.

Hi @zlopez
it may be unrelated but the playbook is using the same value for domain and realm: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/ipa/server/tasks/main.yml#_43-55

The domain should be lowercase.

EDITED: it has no impact as the installer converts the domain to lowercase.
Edited 6 months ago by frenaud

@frenaud As you said it's automatically converted to lowercase.

@rcritten Should I open the issue with idm-pki-tools package for RHEL 9? It seems like this is not the problem of ipa-replica-install.

I'd recommend opening a JIRA ticket in the Red Hat Certificate System project. The component will be pki-core.

Thanks let me move it there. Feel free to close this one.

Metadata Update from @frenaud:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)
6 months ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.