How can I send that request to a specific server? so it's going to one of the old server during replica-creation
[2/2]: Importing RA key [2/2]: Importing RA key Waiting up to 300 seconds to see our keys appear on host ldap://lt-hkg1-avm01.int.lhft.io Starting new HTTPS connection (1): lt-hkg1-avm01.int.lhft.io:443 https://lt-hkg1-avm01.int.lhft.io:443 "GET /ipa/keys/ra/ipaCert?type=kem&value=???? HTTP/1.1" 200 6024 Starting external process args=['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] Process finished, return code=0 stdout= stderr= Starting external process вт, 7 февр. 2023 г. в 21:50, Florence Blanc-Renaud <f...@redhat.com>: > > Hi, > > the issue really looks similar to > - 1998016 RA key import failing during pki instance creation on RHEL9.0 > replica from RHEL8.4 server > - 2032806 - Error replacing a replica with CentOS Stream 9 > The fix requires an update of both pki and ipa packages. > > flo > > On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: >> >> I have 5 servers on CentOS 8 stream, and while trying to update to >> Rocky 9.1 I found that re-creating new replicas only with one server >> it is successful. And the others provide an error >> >> It fails with this error (full log attached): >> [22/29]: Importing RA key >> Error storing key "keys/ra/ipaCert": CalledProcessError(Command >> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] >> returned non-zero exit status 1: 'Traceback (most recent call last):\n >> File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in >> <module>\n main(ra_agent_parser())\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 114, in main\n >> common.main(parser, export_key, import_key)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", >> line 73, in >> main\n func(args, tmpdir, **kwargs)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 69, in >> import_key\n ipautil.run(cmd, umask=0o027)\n File >> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in >> run\n raise >> CalledProcessError(\nipapython.ipautil.CalledProcessError: >> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', >> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', >> \'/var/lib/ipa/ra-agent.pem\', \'-password\', >> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1: >> \'Error outputting keys and >> certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope >> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global >> default library context, Algorithm (RC2-40-CBC : 0), >> Properties ()\\n\')\n') >> [error] FileNotFoundError: [Errno 2] No such file or directory: >> '/var/lib/ipa/ra-agent.key' >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> So currently, I'm on a situation where I have servers: >> A,B - CentOS8 >> C,D,E - RHEL9 >> >> I know that only when I'm mastering with server B the recreation of >> replica will be successful. Even with the new server on RHEL9.1 no >> replica will be created due to custodia error. >> >> Any ideas on how to fix that? >> >> pki-ca on server A - 10.12.0.3 >> server B - 10.12.0.2 >> C,D,E - 11.2.1.1 >> >> ipa on A, B - 4.9.8.2 >> C,D,E - 4.10.0.7 >> >> I'm really worrying why only creating replica with server B works. >> >> Alex >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
