Replica Uninstallation failed with "ERROR Unable to read /etc/httpd/conf.d/ipa-pki-proxy.conf"
Environment
- Red Hat Enterprise Linux 7.9
ipa-server-4.6.8-5
Issue
- IPA Replica uninstallation is failing with the message "ERROR Unable to read /etc/httpd/conf.d/ipa-pki-proxy.conf"
# cat ipaserver-uninstall.log
2025-04-28T17:51:45Z DEBUG Logging to /var/log/ipaserver-uninstall.log
....
2025-04-28T17:51:51Z DEBUG raw: config_show(version=u'2.237')
2025-04-28T17:51:51Z DEBUG config_show(rights=False, all=False, raw=False, version=u'2.237')
2025-04-28T17:51:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 358, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in validate
for _nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 633, in _configure
next(validator)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 455, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 73, in _uninstall
for unused in self._uninstaller(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 594, in main
uninstall_check(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1030, in uninstall_check
ca.uninstall_check(options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 114, in uninstall_check
crlgen_enabled = ca.is_crlgen_enabled()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1451, in is_crlgen_enabled
"Unable to read {}".format(paths.HTTPD_IPA_PKI_PROXY_CONF))
2025-04-28T17:51:51Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Unable to read /etc/httpd/conf.d/ipa-pki-proxy.conf
2025-04-28T17:51:51Z ERROR Unable to read /etc/httpd/conf.d/ipa-pki-proxy.conf
2025-04-28T17:51:51Z ERROR The ipa-server-install command failed.
Resolution
-
Try to restore
/etc/httpd/conf.d/ipa-pki-proxy.conffile from backup, if a backup is available. -
Or Create a file as below:
# cat /etc/httpd/conf.d/ipa-pki-proxy.conf
ProxyRequests Off
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:8009 secret=8IolQt6l6wmliELkNpXN1UYluZiqCJxEvQtL0GDuMH92
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:8009 secret=8IolQt6l6wmliELkNpXN1UYluZiqCJxEvQtL0GDuMH92
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient require
ProxyPassMatch ajp://localhost:8009 secret=8IolQt6l6wmliELkNpXN1UYluZiqCJxEvQtL0GDuMH92
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
<LocationMatch "^/(ca|kra|pki)/rest/">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009 secret=8IolQt6l6wmliELkNpXN1UYluZiqCJxEvQtL0GDuMH92
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
<LocationMatch "^/acme">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
# RFC 8555 says HTTPS is REQUIRED
SSLRequireSSL
SSLVerifyClient none
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
- Set the permission as below:
# ll /etc/httpd/conf.d/ipa-pki-proxy.conf
-rw-r-----. 1 root root 2603 Nov 19 01:06 /etc/httpd/conf.d/ipa-pki-proxy.conf
Root Cause
/etc/httpd/conf.d/ipa-pki-proxy.conffile was missing.
Diagnostic Steps
- Check for
/etc/httpd/conf.d/ipa-pki-proxy.conffile and its permission:
# ll /etc/httpd/conf.d/ipa-pki-proxy.conf
-rw-r-----. 1 root root 2603 Nov 19 01:06 /etc/httpd/conf.d/ipa-pki-proxy.conf
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments