URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
I haven't tested this yet ... but what could possibily go wrong? :-)
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-290762100

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

pvoborni commented:
"""
Shouldn't the ticket number be: https://pagure.io/freeipa/issue/6838 ?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291553067

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Seem like both errors are the same problem.
Should we mark 6688 a duplicate of 6838 ?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291556956

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Nevermind they are not duplicates.
I'll fix the commit message.

"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Fails with
```2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching forpublic key for host/vm-***@DOM-096.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
```
on first replica, every try.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-293591724

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Fails with
```2017-04-12T14:16:14Z DEBUG The ipa-replica-install command failed, exception: ValueError: Incorrect number of results (0) searching forpublic key for host/vm-***@DOM-096.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
```
on first replica, every try.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-293591724

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: edited

Changed field: body
Original value:
"""
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6688

Signed-off-by: Simo Sorce <***@redhat.com>
"""

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

pvoborni commented:
"""
What is this PR waiting for?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298530908

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
I did not see any change in code to fix this but I can try again.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298534740

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Still fails.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298681896

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Can you please attach more of the logs before the failure ?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
@stlaz just FYI, I am sking this info because I cannot reproduce locally with a single replica.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Nevermind I finally reproduced
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Turned out my master had some more relaxed permissions I added when developing the feature.
I now have added a new function to just check for the host keys without asking for data that cannot be read with the identity we have available.
This has been tested and seems to work correctly.
Please check @stlaz
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
@simo5 will check, sorry for not replying yesterday, I was no more at my machine.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298829885

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Seems to work fine against current master, but fails with
```
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
against 4.4.4 master.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Seems to work fine against current master, but fails with
```
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR 503 Server Error: Service Unavailable for url: https://vm-096.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.k6y2jmI8oxRIsieU93_RzG5mZU_u_DPW2XL2jjLukYPZ3oZOkLkufof0fBeH6LAR66aL9m5C9j26GmhlTqNsm2FUQT7Xql975rYR3veooDwLQlPx6k4X1J4CTEeSsf7RVj8KfLE5e4K-nW1hTyepsbm7RDAA_-tbLvWzEqCQ0I3bfpPEDmlML08FA9T_yuPb1FkT0-lSCLV5PHya4tOB3R2q5CHC2b6BpwZQtbVW8eohshEmJMTO2NMAyPlfJscgSHYmhi6oliToV_Dh90Ej1UH_S0UOkHLsvIV5IoW4EGeaGdeHwHo4GsSGHGN3exVxWk9GShhJ_WJ-dlXSGQ_9CA.SfWWO_VrqzKKX3EYSh3E1Q.n4GtjcFZOQSZmAG9MShIQVtfRv_N3jEQMS46rLGUU6xIS-BYBL0Xq1UWP6VFrZW-g96Iqe2PIBhv4m1FsuAzP_gzac1lCr2ghcVuj3rAUg81G5s8vPuYNl_Ur5UVlQ2LtWzGLc26s1z_43MF7qCl8iayvXqnweK8_kj54F1RUJ-Awp0--Z4mnK_FFrPU4BBW2_EjZ1tOR8dV7NnxnN2Gd2tiDFl6Kkbj91rf6Bo2f8telN5RJsX52PsNW2z-l78TOIAKY4qfHhSVz31RO3xgUbyu3yQ79sGIxD66hzmVisB_LnbpNHbIjCP1wKEXXSo-IPrDtXk7ZWZrEITtItzynbzBKddVLjcNMjoqGz-lhLWVNg8R8rdHEdUzhlkdM-kFfW6Fz57wSyOZnt4KvQ-lZxY62TLQB1gqJ7vhzUPUs1g7C9rsy4gTQPjuRxXnLRvqXSb3arQPkrUl_hLqRuAm8FL-ClYY9G38KVns81QTygKvkDC8E5LQBJfyzkg93AyTXNBcrdCxP8AGgaxLBlGyEX-ya0g3mVX5fz_Uj6gyKjtOS_x1AUHOMkAMRmVEzvixrz-krCMWYOQDmJi19OlNeNjb7-NUVDxPRryr7e6Po2OqSbSjP6kUSw_QbMZf8BCrqV4TUFOwndTmZ68n1TOrCqie-UO71TJnherD_3m60_t3-Li1uy6_WWX66BBEMCCtsZBJWP7OYj7c9CzWGuzUEI7g75i4TZwoM1z0SjuyoPE.ZbRawj1B943OeF6AD_W0Z3pfk13fs14rbj_Ab8n-ZXI
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
against 4.4.4 master.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298844054

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
I've seen this once but thought it was a fluke due to my "unclean" master, as the following times it did not happen.
Can you reproduce the error against 4.4.4 consistently ?

"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298886632

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298888556

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
I was able to do it two times in a row with the same master, I can try to reinstall both the master and replica if you want. What do you mean "unclean"? It's a clean 4.4.4 master, no code changes, `/etc/httpd/alias` and `/etc/pki/pki-tomcat/alias` NSS databases seem fine, too.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298888556

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
I meant my setup was unclean.
I will try to reproduce here.
Does master w/o this patch work properly against 4.4.4 ?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298889962

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Not sure, I will try that.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298890816

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
It seems that replica install fails even without this patch so it's OK to go with it?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298892918

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
We need to find why it breaks though, but yeah I think we can go forward with this patch of others agree.
Can you open a separate bug for the failure you got ?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298898148

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Will do, ACKing this in the meantime.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298913680

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

Label: +ack

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

Label: -ack

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

stlaz commented:
"""
Removing the ACK to retest on 4.4.4 with Fedora custodia version.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298916263

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

Label: +ack

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

Label: +pushed

URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679

URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

tomaskrizek commented:
"""
ipa-4-5:

* 5f8d1119fe38807e86930af50d3680e28efe68eb Make sure remote hosts have our keys


master:

* 1f9f84a66d6cf9391b91ee4a13ac0f1119212578 Make sure remote hosts have our keys


"""

See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298930285