Hi,
On Mon, Jul 4, 2022 at 5:07 PM Ivars Strazdins via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi guys,
I am installing IPA replica on RHEL9 (well, Alma Linux 9 actually) and got
exactly the same issue as here:
https://access.redhat.com/discussions/6961739
And similarly to the poster of that issue, also my IPA master server is
IPA 4.6.8 on Centos7.
I was trying to migrate IPA to a newer version by using Alma Linux 9.
I removed Centos 7 replica and tried to install Alma Linux 9 replica. IPA
client was installed without issues.
No SELinux alerts.
Content of /var/lib/ipa folder:
[root@fricka ~]# ls /var/lib/ipa
backup certs gssproxy passwds pki-ca private ra-agent.pem sysrestore sysupgrade
Any suggestions how this could be resolved?
Thank you in advance,
Ivars
Log of replica install:
….
Starting replication, please wait until this has completed.
Update in progress, 9 seconds elapsed
Update succeeded
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
[5/30]: configuring certificate server instance
[6/30]: stopping certificate server instance to update CS.cfg
[7/30]: backing up CS.cfg
[8/30]: Add ipa-pki-wait-running
[9/30]: secure AJP connector
[10/30]: reindex attributes
[11/30]: exporting Dogtag certificate store pin
[12/30]: disabling nonces
[13/30]: set up CRL publishing
[14/30]: enable PKIX certificate path discovery and validation
[15/30]: authorizing RA to modify profiles
[16/30]: authorizing RA to manage lightweight CAs
[17/30]: Ensure lightweight CAs container exists
[18/30]: Ensuring backward compatibility
[19/30]: destroying installation admin user
[20/30]: starting certificate server instance
[21/30]: Finalize replication settings
[22/30]: configure certmonger for renewals
[23/30]: Importing RA key
Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import',
'-']
returned non-zero exit status 1: 'Traceback (most recent
call last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line
8, in <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
line 114, in main\n common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
line 73, in main\n func(args, tmpdir,
**kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
line 69, in import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
run\n raise CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\',
\'-in\',
\'/tmp/tmp5koo8ca2/import.p12\', \'-clcerts\', \'-nokeys\',
\'-out\',
\'/var/lib/ipa/ra-agent.pem\', \'-password\',
\'file:/tmp/tmp5koo8ca2/passwd\'] returned non-zero exit status 1: \'Error
outputting keys and certificates\\n802B104A807F0000:error:0308010C:digital
envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n')
[error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key'
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
This error looks like issue #9101 [1] / BZ #2032806 [2].
To be able to install a
RHEL9 replica, I think you will have to install
first a RHEL8 replica (or CentOS8, but a version with the fix for #9101),
then install the RHEL9 replica from the RHEL8 replica.
HTH,
flo
[1]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure