Great, thanks for the update! On Wed, Jul 6, 2022 at 4:37 PM Ivars Strazdins <[email protected]> wrote:
> Hi Florence, > followed the advice and installed RHEL 8 replica first (Alma Linux 8.6), > then from that went to RHEL 9 (Alma Linux 9.0) and all is good now. > In more detail, I had 3 replicas: > > Beginning: > R1 (Centos 7), R2 (Centos 7), R3 (Centos 7) > > After Step 1, upgrade R2 to Alma Linux 8.6 > R1 (Centos 7), R2 (Alma Linux 8.6), R3 (Centos 7) > > After Step 2, upgrade R1 to Alma Linux 9.0 > R1 (Alma Linux 9.0), R2 (Alma Linux 8.6), R3 (Centos 7) > > After Step 3, upgrade R2 to Alma Linux 9.0 > R1 (Alma Linux 9.0), R2 (Alma Linux 9.0), R3 (Centos 7) > > After Step 4, drop Centos 7 > R1 (Alma Linux 9.0), R2 (Alma Linux 9.0) > > Thanks! > Ivars > > On 5 Jul 2022, at 09:33, Florence Blanc-Renaud <[email protected]> wrote: > > Hi, > > On Mon, Jul 4, 2022 at 5:07 PM Ivars Strazdins via FreeIPA-users < > [email protected]> wrote: > >> Hi guys, >> I am installing IPA replica on RHEL9 (well, Alma Linux 9 actually) and >> got exactly the same issue as here: >> https://access.redhat.com/discussions/6961739 >> And similarly to the poster of that issue, also my IPA master server is >> IPA 4.6.8 on Centos7. >> >> I was trying to migrate IPA to a newer version by using Alma Linux 9. >> I removed Centos 7 replica and tried to install Alma Linux 9 replica. IPA >> client was installed without issues. >> No SELinux alerts. >> Content of /var/lib/ipa folder: >> >> [root@fricka ~]# ls /var/lib/ipa >> >> backup certs gssproxy passwds pki-ca private ra-agent.pem sysrestore >> sysupgrade >> >> >> Any suggestions how this could be resolved? >> Thank you in advance, >> Ivars >> >> Log of replica install: >> …. >> Starting replication, please wait until this has completed. >> Update in progress, 9 seconds elapsed >> Update succeeded >> >> [3/30]: creating ACIs for admin >> [4/30]: creating installation admin user >> [5/30]: configuring certificate server instance >> [6/30]: stopping certificate server instance to update CS.cfg >> [7/30]: backing up CS.cfg >> [8/30]: Add ipa-pki-wait-running >> [9/30]: secure AJP connector >> [10/30]: reindex attributes >> [11/30]: exporting Dogtag certificate store pin >> [12/30]: disabling nonces >> [13/30]: set up CRL publishing >> [14/30]: enable PKIX certificate path discovery and validation >> [15/30]: authorizing RA to modify profiles >> [16/30]: authorizing RA to manage lightweight CAs >> [17/30]: Ensure lightweight CAs container exists >> [18/30]: Ensuring backward compatibility >> [19/30]: destroying installation admin user >> [20/30]: starting certificate server instance >> [21/30]: Finalize replication settings >> [22/30]: configure certmonger for renewals >> [23/30]: Importing RA key >> Error storing key "keys/ra/ipaCert": CalledProcessError(Command >> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] >> returned non-zero exit status 1: 'Traceback (most recent >> call last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line >> 8, in <module>\n main(ra_agent_parser())\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 114, in main\n common.main(parser, export_key, import_key)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", >> line 73, in main\n func(args, tmpdir, >> **kwargs)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 69, in import_key\n ipautil.run(cmd, umask=0o027)\n File >> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in >> run\n raise CalledProcessError(\nipapython.ipautil.CalledProcessError: >> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', >> \'/tmp/tmp5koo8ca2/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', >> \'/var/lib/ipa/ra-agent.pem\', \'-password\', >> \'file:/tmp/tmp5koo8ca2/passwd\'] returned non-zero exit status 1: \'Error >> outputting keys and certificates\\n802B104A807F0000:error:0308010C:digital >> envelope >> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global >> default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n') >> [error] FileNotFoundError: [Errno 2] No such file or directory: >> '/var/lib/ipa/ra-agent.key' >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key' >> The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> >> This error looks like issue #9101 [1] / BZ #2032806 [2]. > To be able to install a RHEL9 replica, I think you will have to install > first a RHEL8 replica (or CentOS8, but a version with the fix for #9101), > then install the RHEL9 replica from the RHEL8 replica. > > HTH, > flo > > [1] https://pagure.io/freeipa/issue/9101 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2032806 > > >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
