Hi, the issue really looks similar to - 1998016 <https://bugzilla.redhat.com/show_bug.cgi?id=1998016> RA key import failing during pki instance creation on RHEL9.0 replica from RHEL8.4 server - 2032806 <https://bugzilla.redhat.com/show_bug.cgi?id=2032806> - Error replacing a replica with CentOS Stream 9 The fix requires an update of both pki and ipa packages.
flo On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have 5 servers on CentOS 8 stream, and while trying to update to > Rocky 9.1 I found that re-creating new replicas only with one server > it is successful. And the others provide an error > > It fails with this error (full log attached): > [22/29]: Importing RA key > Error storing key "keys/ra/ipaCert": CalledProcessError(Command > ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] > returned non-zero exit status 1: 'Traceback (most recent call last):\n > File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in > <module>\n main(ra_agent_parser())\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 114, in main\n > common.main(parser, export_key, import_key)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", > line 73, in > main\n func(args, tmpdir, **kwargs)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 69, in > import_key\n ipautil.run(cmd, umask=0o027)\n File > "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in > run\n raise > CalledProcessError(\nipapython.ipautil.CalledProcessError: > CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', > \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', > \'/var/lib/ipa/ra-agent.pem\', \'-password\', > \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1: > \'Error outputting keys and > certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope > > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global > default library context, Algorithm (RC2-40-CBC : 0), > Properties ()\\n\')\n') > [error] FileNotFoundError: [Errno 2] No such file or directory: > '/var/lib/ipa/ra-agent.key' > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > So currently, I'm on a situation where I have servers: > A,B - CentOS8 > C,D,E - RHEL9 > > I know that only when I'm mastering with server B the recreation of > replica will be successful. Even with the new server on RHEL9.1 no > replica will be created due to custodia error. > > Any ideas on how to fix that? > > pki-ca on server A - 10.12.0.3 > server B - 10.12.0.2 > C,D,E - 11.2.1.1 > > ipa on A, B - 4.9.8.2 > C,D,E - 4.10.0.7 > > I'm really worrying why only creating replica with server B works. > > Alex > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
