Hi,
On Mon, May 5, 2025 at 9:25 AM LHEUREUX Bernard via FreeIPA-users <
[email protected]> wrote:
> Hi Rob and all !
>
> That partly helped me, indeed I had an untrusted certificate, now
> corrected, I followed your instructions and tried to reinstall completely
> server3, but I always get a failure when ipa-kra-install is launched:
>
> The /var/log/ipaserver-kra-install.log shows:
>
> INFO: HTTP response: HTTP/1.1 200 OK
> FINE: - Date: Mon, 05 May 2025 07:16:07 GMT
> FINE: - Server: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2
> mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9
> FINE: - Content-Type: application/json
> FINE: - Vary: Accept-Encoding
> FINE: - Keep-Alive: timeout=30, max=99
> FINE: - Connection: Keep-Alive
> FINE: - Transfer-Encoding: chunked
> FINE: Response:
> {
> "Response" : {
> "Status" : "1",
> "Error" : "Unable to add KRA connector for
> https://server3.domain.net:8443: KRA connector already exists"
> }
> }
> FINE: CAClient: Response: {
> "Response" : {
> "Status" : "1",
> "Error" : "Unable to add KRA connector for https://
> server3.domain.net:8443: KRA connector already exists"
> }
> }
>
This looks a lot like this issue: https://pagure.io/freeipa/issue/9692
The workaround is to update the file /etc/pki/pki-tomcat/ca/CS.cfg on the
master. Please read https://pagure.io/freeipa/issue/9692#comment-941843
- remove the failed replica using "ipa server-del <name>" on the master
- uninstall the failed replica with "ipa-server-install --uninstall"
- fix the CS.cfg file on the master
- retry the replica installation
flo
FINE: CAClient: status: 1
> java.lang.NullPointerException: Cannot invoke
> "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value
> of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null
> at com.netscape.certsrv.ca
> .CAClient.addKRAConnector(CAClient.java:129)
> at
> com.netscape.cmstools.system.KRAConnectorAddCLI.execute(KRAConnectorAddCLI.java:220)
> at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
> at org.dogtagpki.cli.CLI.execute(CLI.java:353)
> at org.dogtagpki.cli.CLI.execute(CLI.java:353)
> at
> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
> at org.dogtagpki.cli.CLI.execute(CLI.java:353)
> at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
> at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
> ERROR: CalledProcessError: Command '['pki', '-d',
> '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf',
> '-U', 'https:// server3.domain.net:443', '--ignore-banner',
> 'ca-kraconnector-add', '--url', 'https://
> server3.domain.net:8443/kra/agent/kra/connector', '--subsystem-cert',
> '/tmp/tmpwepujwad/subsystem.crt', '--transport-cert',
> '/tmp/tmpwepujwad/transport.crt', '--transport-nickname', 'transportCert
> cert-pki-kra', '--install-token', '/tmp/tmpwepujwad/install-token',
> '--debug']' returned non-zero exit status 255.
> File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line
> 568, in main
> deployer.spawn()
> File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 4985, in spawn
> scriptlet.spawn(self)
> File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 197, in spawn
> deployer.finalize_subsystem(subsystem)
> File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 4772, in finalize_subsystem
> self.finalize_kra(subsystem)
> File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 4654, in finalize_kra
> self.add_kra_connector(subsystem, ca_url)
> File
> "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line
> 4207, in add_kra_connector
> subprocess.check_call(cmd)
> File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call
> raise CalledProcessError(retcode, cmd)
>
>
> 2025-05-05T07:16:07Z CRITICAL Failed to configure KRA instance
> 2025-05-05T07:16:07Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2025-05-05T07:16:07Z CRITICAL /var/log/pki/pki-tomcat
> 2025-05-05T07:16:07Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 672, in run_step
> method()
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line
> 250, in __spawn_instance
> DogtagInstance.spawn_instance(
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> self.handle_setup_error(e)
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 609, in handle_setup_error
> raise RuntimeError(
> RuntimeError: KRA configuration failed.
>
> 2025-05-05T07:16:07Z DEBUG [error] RuntimeError: KRA configuration
> failed.
> 2025-05-05T07:16:07Z DEBUG Removing /var/lib/ipa/tmp-95xism1v
> 2025-05-05T07:16:07Z DEBUG Removing /root/.dogtag/pki-tomcat/kra
> 2025-05-05T07:16:07Z ERROR
> Your system may be partly configured.
> If you run into issues, you may have to re-install IPA on this server.
>
> 2025-05-05T07:16:07Z DEBUG File
> "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_kra_install.py",
> line 241, in run
> kra.install(api, config, self.options, custodia=custodia)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/kra.py", line
> 162, in install
> kra.configure_instance(
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line
> 150, in configure_instance
> self.start_creation(runtime=120)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 686, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py",
> line 672, in run_step
> method()
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/krainstance.py", line
> 250, in __spawn_instance
> DogtagInstance.spawn_instance(
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> self.handle_setup_error(e)
> File
> "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py",
> line 609, in handle_setup_error
> raise RuntimeError(
>
> 2025-05-05T07:16:07Z DEBUG The ipa-kra-install command failed, exception:
> RuntimeError: KRA configuration failed.
> 2025-05-05T07:16:07Z ERROR KRA configuration failed.
> 2025-05-05T07:16:07Z ERROR The ipa-kra-install command failed. See
> /var/log/ipaserver-kra-install.log for more information
>
>
> Seems to be the same as before...
>
> Bernard LHEUREUX
> Linux & System Engineer
> win.be
>
>
>
>
>
>
> -----Original Message-----
> From: Rob Crittenden <[email protected]>
> Sent: vendredi 2 mai 2025 14:34
> To: FreeIPA users list <[email protected]>
> Cc: LHEUREUX Bernard <[email protected]>
> Subject: Re: [Freeipa-users] Impossible to install a KRA replicate with
> FreeIPA version 4.12.2-1 (RHEL9)
>
> LHEUREUX Bernard via FreeIPA-users wrote:
> > Hello all,
> >
> >
> >
> > I desperately try to migrate my infrastructure containing 3 FreeIPA
> > Servers 4.9.13-16 running under RHEL8 without any problems, for this I
> > completely uninstall server3, I remove it from the FreeIPA
> > infrastructure, and then install a fresh new RHEL9 FreeIPA Machine
> > with version 4.12.2-1, the “ipa-replica-install --setup-ca
> > --setup-dns --auto-forwarders --auto-reverse” works perfectly well,
> > then I try the ipa-replica-install, but constantly get an error…
> >
> >
> >
> > The /var/log/ipaserver-kra-install.log gives:
> >
> > "Error" : "Unable to add KRA connector for
> > https://server3.domain.local:8443: KRA connector already exists"
> >
> >
> >
> > I found a similar problem in that page,
> > https://forums.rockylinux.org/t/freeipa-kra-install-fails-on-rocky-9-r
> > eplica-from-rocky-8-cluster/18187/2
> > I tried, but that didn’t solve the issue…
> >
> > Could you help me finding a solution ?
>
> I'd start by removing the new RHEL 9 replica (ipa server-del) and
> running: pki securitydomain-show on a different server. You should be
> prompted about an untrusted certificate. Select y to trust it.
>
> Look in the output to see if server3 is listed in the output. If it does
> and particularly if the KRA is listed you can remove those old entries
> using directions at
> https://rcritten.wordpress.com/2023/04/28/dogtag-pki-security-domain-management/
>
> rob
>
>
>
>
> ________________________________
> 1/Conformément à notre certification ISO 27001, ce message et toute pièce
> jointe sont la propriété exclusive de Win. L’information contenue dans cet
> e- mail peut s’avérer confidentielle et dès lors protégée de toute
> divulgation. Si vous avez reçu cette communication par erreur, veuillez
> nous en informer immédiatement en répondant à ce message et en le
> supprimant de votre ordinateur, sans le copier ni le divulguer.
> 2/L’acceptation de toute offre commerciale (quel qu’en soit le support)
> emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux
> solutions offertes, ainsi qu’aux conditions commerciales générales de Win,
> consultables via https://www.win.be/cgv
> DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
