Stupid Question... Where should I go to file a bug on centos stream? I
know for fedora or rhel, but not this one....
Please open it against RHEL 8 as this is where it needs to be fixed in
the first place.
Thanks
On Wed, 2021-12-15 at 09:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
> On Wed, 2021-12-15 at 10:49 +0200, Alexander Bokovoy via FreeIPA-users wrote:
> > Hi Antoine,
> >
> > On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> > > Hi,
> > >
> > > This message was probably missed in all the log4shell exchanges.
> > > Any hint on how to rebuild the RA certificate with a newer algorythm before
migrating to Centos Stream 9?
> >
> > The error you have is this:
> >
> > ----------------------------------------------------------
> > Error outputting keys
> > andcertificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
> > default library context, Algorithm (RC2-40-CBC : 0), Properties()
> > ----------------------------------------------------------
> >
> > This is produced by an OpenSSL 3.0.0 which does not have support for
> > legacy ciphers by default. This legacy cipher (RC2-40-CBC) was used by
> > PKI releases prior to
> >
https://bugzilla.redhat.com/show_bug.cgi?id=1975406 was fixed.
> >
> > Since in the CA replica installation case we get RA agent key transferred
> > securely from CA master, this key would be the one encrypted on CentOS
> > Stream 8 and would still use RC2-40-CBC, thus making it impossible to
> > consume on OpenSSL 3.0.0-enabled system.
> >
> > I think we need a bug against IPA to re-encrypt this key on 'earlier'
> > system before 'newer' one could be deployed. Adding Christian for
> > visibility.
> >
> > Could you please open one?
>
> Thank you for the quick response. I'll file a bug for that.
> Have a good day
> >
> >
> > >
> > > Many thanks
> > >
> > > On Sat, 2021-12-11 at 16:56 +0100, Antoine Gatineau via FreeIPA-users
wrote:
> > > >
> > > > Hello,
> > > >
> > > > I have currently a 2 node cluster running on CentOS Stream 8. In order
to upgrade to CentOS 9, I have removed one of the replica
> > > > from
> > > > the
> > > > configuration, installed a fresh centos stream 9 and run
ipa-replica-install.
> > > > It fails with this error (full log attached):
> > > > [22/29]: Importing RA key
> > > > Error storing key "keys/ra/ipaCert":
CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent',
'--import', '-']
> > > > returned non-zero exit status 1: 'Traceback (most recent call
last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line
> > > > 8, in
> > > > <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
114, in
> > > > main\n
> > > > common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line
> > > > 73,
> > > > in
> > > > main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
69, in
> > > > import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n
> > > > raise
> > > > CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\',
\'-in\',
> > > > \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\',
\'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\',
\'-password\',
> > > > \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit
status 1: \'Error outputting keys and
> > > > certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> > > >
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default
library context, Algorithm (RC2-40-CBC : 0),
> > > > Properties ()\\n\')\n')
> > > > [error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
> > > > Your system may be partly configured.
> > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > >
> > > > What can I do to make this upgrade work?
> > > > Looks like an unsupported algorithm for the RA key. I tried "sudo
update-crypto-policies --set LEGACY" without success.
> > > >
> > > >
> > > > Thank you
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> > >
> > > --
> > > Antoine GatineauFreelance IT Consultant
> > > Phone: +32 499 50 80 04
> > >
Web: https://infra-monkey.com
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> >
> >
> >
> > --
> > / Alexander Bokovoy
> > Sr. Principal Software Engineer
> > Security / Identity Management Engineering
> > Red Hat Limited, Finland
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
> --
> Antoine GatineauFreelance IT Consultant
> Phone: +32 499 50 80 04
>
Web: https://infra-monkey.com
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Antoine GatineauFreelance IT Consultant
Phone: +32 499 50 80 04
Web: https://infra-monkey.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland