Hi Florence, followed the advice and installed RHEL 8 replica first (Alma Linux 8.6), then from that went to RHEL 9 (Alma Linux 9.0) and all is good now. In more detail, I had 3 replicas:
Beginning: R1 (Centos 7), R2 (Centos 7), R3 (Centos 7) After Step 1, upgrade R2 to Alma Linux 8.6 R1 (Centos 7), R2 (Alma Linux 8.6), R3 (Centos 7) After Step 2, upgrade R1 to Alma Linux 9.0 R1 (Alma Linux 9.0), R2 (Alma Linux 8.6), R3 (Centos 7) After Step 3, upgrade R2 to Alma Linux 9.0 R1 (Alma Linux 9.0), R2 (Alma Linux 9.0), R3 (Centos 7) After Step 4, drop Centos 7 R1 (Alma Linux 9.0), R2 (Alma Linux 9.0) Thanks! Ivars > On 5 Jul 2022, at 09:33, Florence Blanc-Renaud <[email protected]> wrote: > > Hi, > > On Mon, Jul 4, 2022 at 5:07 PM Ivars Strazdins via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > Hi guys, > I am installing IPA replica on RHEL9 (well, Alma Linux 9 actually) and got > exactly the same issue as here: https://access.redhat.com/discussions/6961739 > <https://access.redhat.com/discussions/6961739> > And similarly to the poster of that issue, also my IPA master server is IPA > 4.6.8 on Centos7. > > I was trying to migrate IPA to a newer version by using Alma Linux 9. > I removed Centos 7 replica and tried to install Alma Linux 9 replica. IPA > client was installed without issues. > No SELinux alerts. > Content of /var/lib/ipa folder: > [root@fricka ~]# ls /var/lib/ipa > backup certs gssproxy passwds pki-ca private ra-agent.pem sysrestore > sysupgrade > > Any suggestions how this could be resolved? > Thank you in advance, > Ivars > > Log of replica install: > …. > Starting replication, please wait until this has completed. > Update in progress, 9 seconds elapsed > Update succeeded > > [3/30]: creating ACIs for admin > [4/30]: creating installation admin user > [5/30]: configuring certificate server instance > [6/30]: stopping certificate server instance to update CS.cfg > [7/30]: backing up CS.cfg > [8/30]: Add ipa-pki-wait-running > [9/30]: secure AJP connector > [10/30]: reindex attributes > [11/30]: exporting Dogtag certificate store pin > [12/30]: disabling nonces > [13/30]: set up CRL publishing > [14/30]: enable PKIX certificate path discovery and validation > [15/30]: authorizing RA to modify profiles > [16/30]: authorizing RA to manage lightweight CAs > [17/30]: Ensure lightweight CAs container exists > [18/30]: Ensuring backward compatibility > [19/30]: destroying installation admin user > [20/30]: starting certificate server instance > [21/30]: Finalize replication settings > [22/30]: configure certmonger for renewals > [23/30]: Importing RA key > Error storing key "keys/ra/ipaCert": CalledProcessError(Command > ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] returned > non-zero exit status 1: 'Traceback (most recent call last):\n File > "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in <module>\n > main(ra_agent_parser())\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 114, in main\n common.main(parser, export_key, import_key)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line > 73, in main\n func(args, tmpdir, **kwargs)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 69, in import_key\n ipautil.run(cmd, umask=0o027)\n File > "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n > raise CalledProcessError(\nipapython.ipautil.CalledProcessError: > CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', > \'/tmp/tmp5koo8ca2/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', > \'/var/lib/ipa/ra-agent.pem\', \'-password\', > \'file:/tmp/tmp5koo8ca2/passwd\'] returned non-zero exit status 1: \'Error > outputting keys and certificates\\n802B104A807F0000:error:0308010C:digital > envelope > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global > default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n') > [error] FileNotFoundError: [Errno 2] No such file or directory: > '/var/lib/ipa/ra-agent.key' > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key' > The ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > > > This error looks like issue #9101 [1] / BZ #2032806 [2]. > To be able to install a RHEL9 replica, I think you will have to install first > a RHEL8 replica (or CentOS8, but a version with the fix for #9101), then > install the RHEL9 replica from the RHEL8 replica. > > HTH, > flo > > [1] https://pagure.io/freeipa/issue/9101 > <https://pagure.io/freeipa/issue/9101> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2032806 > <https://bugzilla.redhat.com/show_bug.cgi?id=2032806> > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > <https://lists.fedorahosted.org/archives/list/[email protected]> > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > <https://pagure.io/fedora-infrastructure>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
