-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Freeipa: adding subca in loop fails with Non-2xx response from CA REST API: 500 #4677
Comments
@flo-renaud Since we're in exception phase, could you open a RHEL Jira ticket for this and provide the justification? |
Hi @edewata |
Thanks. I've added some tests for this (PR #4679) and ran it multiple times but so far the Also, the
Could you check PKI's systemd journal to see if there are any log messages from the key retriever? |
I've invited you to dogtagpki so you can review the PR. |
With your PR, the issue is also reproducible. It happened on iteration 62.
The journal shows custodia failure to obtain the key:
It shows a call to pki-tomcat/ca/debug:
|
With the PKI version provided in the copr repo @pki/master, freeipa fails to add subcas in loops.
After a few iterations, ipa ca-add fails with:
Reproducer:
Enable pki copr repo:
dnf copr enable -y @pki/master
Enable freeipa copr repo:
dnf copr enable -y @freeipa/freeipa-master-nightly
Upgrade and install freeipa:
dnf update -y; dnf install -y freeipa-server-dns
Install IPA server:
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
Create multiple subcas:
In the provided logs, the command failed for iterations 16,17,18,19,20:
debug.2024-02-23.log
The text was updated successfully, but these errors were encountered: