Hi Florence, Rob and all, YESSSS, was that…
BUT, I had to make the same change on the 2 other servers providing also CA ! Restarted with “ipactl restart” on server1 after change then on server2 after change, reinstall server3 and then ipa-kra-install worked perfectly and the migration process can continue by upgrading server1, then server2 ! Thanks a lot for your wonderful knowledge of the depth of FreeIPA ! Thanks also to Rob who learnt me very interesting things related to the trusted certs ! [https://www.win.be/images/fr/logowin.jpg] Bernard LHEUREUX Linux & System Engineer win.be <https://www.win.be/> [facebook]<http://www.youtube.com/channel/UC-rXMcRf_tMl5K4EBHKWpGg> [linkedin] <https://www.linkedin.com/company/win-s-a-/> [twitter] <https://twitter.com/win_ICTpartner> From: Florence Blanc-Renaud <f...@redhat.com> Sent: lundi 5 mai 2025 10:42 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Rob Crittenden <rcrit...@redhat.com>; LHEUREUX Bernard <bernard.lheur...@staff.win.be> Subject: Re: [Freeipa-users] Re: Impossible to install a KRA replicate with FreeIPA version 4.12.2-1 (RHEL9) Hi, On Mon, May 5, 2025 at 9:25 AM LHEUREUX Bernard via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Rob and all ! That partly helped me, indeed I had an untrusted certificate, now corrected, I followed your instructions and tried to reinstall completely server3, but I always get a failure when ipa-kra-install is launched: The /var/log/ipaserver-kra-install.log shows: INFO: HTTP response: HTTP/1.1 200 OK FINE: - Date: Mon, 05 May 2025 07:16:07 GMT FINE: - Server: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2 mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9 FINE: - Content-Type: application/json FINE: - Vary: Accept-Encoding FINE: - Keep-Alive: timeout=30, max=99 FINE: - Connection: Keep-Alive FINE: - Transfer-Encoding: chunked FINE: Response: { "Response" : { "Status" : "1", "Error" : "Unable to add KRA connector for https://server3.domain.net:8443: KRA connector already exists" } } FINE: CAClient: Response: { "Response" : { "Status" : "1", "Error" : "Unable to add KRA connector for https:// server3.domain.net:8443<http://server3.domain.net:8443>: KRA connector already exists" } } This looks a lot like this issue: https://pagure.io/freeipa/issue/9692 The workaround is to update the file /etc/pki/pki-tomcat/ca/CS.cfg on the master. Please read https://pagure.io/freeipa/issue/9692#comment-941843 - remove the failed replica using "ipa server-del <name>" on the master - uninstall the failed replica with "ipa-server-install --uninstall" - fix the CS.cfg file on the master - retry the replica installation flo FINE: CAClient: status: 1 java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null at com.netscape.certsrv.ca<http://com.netscape.certsrv.ca>.CAClient.addKRAConnector(CAClient.java:129) at com.netscape.cmstools.system.KRAConnectorAddCLI.execute(KRAConnectorAddCLI.java:220) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698) ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https:// server3.domain.net:443<http://server3.domain.net:443>', '--ignore-banner', 'ca-kraconnector-add', '--url', 'https:// server3.domain.net:8443/kra/agent/kra/connector<http://server3.domain.net:8443/kra/agent/kra/connector>', '--subsystem-cert', '/tmp/tmpwepujwad/subsystem.crt', '--transport-cert', '/tmp/tmpwepujwad/transport.crt', '--transport-nickname', 'transportCert cert-pki-kra', '--install-token', '/tmp/tmpwepujwad/install-token', '--debug']' returned non-zero exit status 255. File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 568, in main deployer.spawn() File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 4985, in spawn scriptlet.spawn(self) File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 197, in spawn deployer.finalize_subsystem(subsystem) File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 4772, in finalize_subsystem self.finalize_kra(subsystem) File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 4654, in finalize_kra self.add_kra_connector(subsystem, ca_url) File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 4207, in add_kra_connector subprocess.check_call(cmd) File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) 2025-05-05T07:16:07Z CRITICAL Failed to configure KRA instance 2025-05-05T07:16:07Z CRITICAL See the installation logs and the following files/directories for more information: 2025-05-05T07:16:07Z CRITICAL /var/log/pki/pki-tomcat 2025-05-05T07:16:07Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line 250, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError( RuntimeError: KRA configuration failed. 2025-05-05T07:16:07Z DEBUG [error] RuntimeError: KRA configuration failed. 2025-05-05T07:16:07Z DEBUG Removing /var/lib/ipa/tmp-95xism1v 2025-05-05T07:16:07Z DEBUG Removing /root/.dogtag/pki-tomcat/kra 2025-05-05T07:16:07Z ERROR Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. 2025-05-05T07:16:07Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_kra_install.py", line 241, in run kra.install(api, config, self.options, custodia=custodia) File "/usr/lib/python3.9/site-packages/ipaserver/install/kra.py", line 162, in install kra.configure_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line 150, in configure_instance self.start_creation(runtime=120) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation run_step(full_msg, method) File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step method() File "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line 250, in __spawn_instance DogtagInstance.spawn_instance( File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error raise RuntimeError( 2025-05-05T07:16:07Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed. 2025-05-05T07:16:07Z ERROR KRA configuration failed. 2025-05-05T07:16:07Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information Seems to be the same as before... Bernard LHEUREUX Linux & System Engineer win.be<http://win.be> -----Original Message----- From: Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> Sent: vendredi 2 mai 2025 14:34 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: LHEUREUX Bernard <bernard.lheur...@staff.win.be<mailto:bernard.lheur...@staff.win.be>> Subject: Re: [Freeipa-users] Impossible to install a KRA replicate with FreeIPA version 4.12.2-1 (RHEL9) LHEUREUX Bernard via FreeIPA-users wrote: > Hello all, > > > > I desperately try to migrate my infrastructure containing 3 FreeIPA > Servers 4.9.13-16 running under RHEL8 without any problems, for this I > completely uninstall server3, I remove it from the FreeIPA > infrastructure, and then install a fresh new RHEL9 FreeIPA Machine > with version 4.12.2-1, the “ipa-replica-install --setup-ca > --setup-dns --auto-forwarders --auto-reverse” works perfectly well, > then I try the ipa-replica-install, but constantly get an error… > > > > The /var/log/ipaserver-kra-install.log gives: > > "Error" : "Unable to add KRA connector for > https://server3.domain.local:8443: KRA connector already exists" > > > > I found a similar problem in that page, > https://forums.rockylinux.org/t/freeipa-kra-install-fails-on-rocky-9-r > eplica-from-rocky-8-cluster/18187/2 > I tried, but that didn’t solve the issue… > > Could you help me finding a solution ? I'd start by removing the new RHEL 9 replica (ipa server-del) and running: pki securitydomain-show on a different server. You should be prompted about an untrusted certificate. Select y to trust it. Look in the output to see if server3 is listed in the output. If it does and particularly if the KRA is listed you can remove those old entries using directions at https://rcritten.wordpress.com/2023/04/28/dogtag-pki-security-domain-management/ rob ________________________________ 1/Conformément à notre certification ISO 27001, ce message et toute pièce jointe sont la propriété exclusive de Win. L’information contenue dans cet e- mail peut s’avérer confidentielle et dès lors protégée de toute divulgation. Si vous avez reçu cette communication par erreur, veuillez nous en informer immédiatement en répondant à ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer. 2/L’acceptation de toute offre commerciale (quel qu’en soit le support) emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux solutions offertes, ainsi qu’aux conditions commerciales générales de Win, consultables via https://www.win.be/cgv DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
