Hi, On Mon, Jul 4, 2022 at 5:07 PM Ivars Strazdins via FreeIPA-users < [email protected]> wrote:
> Hi guys, > I am installing IPA replica on RHEL9 (well, Alma Linux 9 actually) and got > exactly the same issue as here: > https://access.redhat.com/discussions/6961739 > And similarly to the poster of that issue, also my IPA master server is > IPA 4.6.8 on Centos7. > > I was trying to migrate IPA to a newer version by using Alma Linux 9. > I removed Centos 7 replica and tried to install Alma Linux 9 replica. IPA > client was installed without issues. > No SELinux alerts. > Content of /var/lib/ipa folder: > > [root@fricka ~]# ls /var/lib/ipa > > backup certs gssproxy passwds pki-ca private ra-agent.pem sysrestore > sysupgrade > > > Any suggestions how this could be resolved? > Thank you in advance, > Ivars > > Log of replica install: > …. > Starting replication, please wait until this has completed. > Update in progress, 9 seconds elapsed > Update succeeded > > [3/30]: creating ACIs for admin > [4/30]: creating installation admin user > [5/30]: configuring certificate server instance > [6/30]: stopping certificate server instance to update CS.cfg > [7/30]: backing up CS.cfg > [8/30]: Add ipa-pki-wait-running > [9/30]: secure AJP connector > [10/30]: reindex attributes > [11/30]: exporting Dogtag certificate store pin > [12/30]: disabling nonces > [13/30]: set up CRL publishing > [14/30]: enable PKIX certificate path discovery and validation > [15/30]: authorizing RA to modify profiles > [16/30]: authorizing RA to manage lightweight CAs > [17/30]: Ensure lightweight CAs container exists > [18/30]: Ensuring backward compatibility > [19/30]: destroying installation admin user > [20/30]: starting certificate server instance > [21/30]: Finalize replication settings > [22/30]: configure certmonger for renewals > [23/30]: Importing RA key > Error storing key "keys/ra/ipaCert": CalledProcessError(Command > ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] > returned non-zero exit status 1: 'Traceback (most recent > call last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line > 8, in <module>\n main(ra_agent_parser())\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 114, in main\n common.main(parser, export_key, import_key)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", > line 73, in main\n func(args, tmpdir, > **kwargs)\n File > "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", > line 69, in import_key\n ipautil.run(cmd, umask=0o027)\n File > "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in > run\n raise CalledProcessError(\nipapython.ipautil.CalledProcessError: > CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', > \'/tmp/tmp5koo8ca2/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', > \'/var/lib/ipa/ra-agent.pem\', \'-password\', > \'file:/tmp/tmp5koo8ca2/passwd\'] returned non-zero exit status 1: \'Error > outputting keys and certificates\\n802B104A807F0000:error:0308010C:digital > envelope > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global > default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n') > [error] FileNotFoundError: [Errno 2] No such file or directory: > '/var/lib/ipa/ra-agent.key' > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key' > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > This error looks like issue #9101 [1] / BZ #2032806 [2]. To be able to install a RHEL9 replica, I think you will have to install first a RHEL8 replica (or CentOS8, but a version with the fix for #9101), then install the RHEL9 replica from the RHEL8 replica. HTH, flo [1] https://pagure.io/freeipa/issue/9101 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2032806 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
