Correct, but that's a problem. Seems like rhel9 server is not able to make replica with rhel 9. Only one of two old stream 8 works
Alex On Tue, Feb 7, 2023, 21:50 Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > the issue really looks similar to > - 1998016 <https://bugzilla.redhat.com/show_bug.cgi?id=1998016> RA key > import failing during pki instance creation on RHEL9.0 replica from RHEL8.4 > server > - 2032806 <https://bugzilla.redhat.com/show_bug.cgi?id=2032806> - Error > replacing a replica with CentOS Stream 9 > The fix requires an update of both pki and ipa packages. > > flo > > On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users < > [email protected]> wrote: > >> I have 5 servers on CentOS 8 stream, and while trying to update to >> Rocky 9.1 I found that re-creating new replicas only with one server >> it is successful. And the others provide an error >> >> It fails with this error (full log attached): >> [22/29]: Importing RA key >> Error storing key "keys/ra/ipaCert": CalledProcessError(Command >> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] >> returned non-zero exit status 1: 'Traceback (most recent call last):\n >> File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in >> <module>\n main(ra_agent_parser())\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 114, in main\n >> common.main(parser, export_key, import_key)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", >> line 73, in >> main\n func(args, tmpdir, **kwargs)\n File >> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", >> line 69, in >> import_key\n ipautil.run(cmd, umask=0o027)\n File >> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in >> run\n raise >> CalledProcessError(\nipapython.ipautil.CalledProcessError: >> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', >> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', >> \'/var/lib/ipa/ra-agent.pem\', \'-password\', >> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1: >> \'Error outputting keys and >> certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope >> >> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global >> default library context, Algorithm (RC2-40-CBC : 0), >> Properties ()\\n\')\n') >> [error] FileNotFoundError: [Errno 2] No such file or directory: >> '/var/lib/ipa/ra-agent.key' >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> So currently, I'm on a situation where I have servers: >> A,B - CentOS8 >> C,D,E - RHEL9 >> >> I know that only when I'm mastering with server B the recreation of >> replica will be successful. Even with the new server on RHEL9.1 no >> replica will be created due to custodia error. >> >> Any ideas on how to fix that? >> >> pki-ca on server A - 10.12.0.3 >> server B - 10.12.0.2 >> C,D,E - 11.2.1.1 >> >> ipa on A, B - 4.9.8.2 >> C,D,E - 4.10.0.7 >> >> I'm really worrying why only creating replica with server B works. >> >> Alex >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
