So, what is this telling me - which key is messed up - and how??
[root@ipap1 ~]# /usr/libexec/ipa/ipa-custodia-check
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Platform:
Linux-3.10.0-957.5.1.el7.x86_64-x86_64-with-redhat-7.6-Maipo
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: IPA version: 4.6.4
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: IPA vendor version:
4.6.4-10.el7_6.2
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Realm:
example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Host:
ipap1.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Remote server:
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File
'/etc/ipa/default.conf' exists.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File
'/etc/krb5.keytab' exists.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File
'/etc/ipa/custodia/custodia.conf' exists.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File
'/etc/ipa/custodia/server.keys' exists.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Custodia client created.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Loaded key for usage
'sig' from '/etc/ipa/custodia/server.keys'.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: JWK KID matches host's
service principal name 'host/ipap1.example.com(a)example.com'.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked host LDAP keys
'host/ipap1.example.com(a)example.com' for usage sig.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Local key for usage
'sig' matches key in LDAP.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked server LDAP
keys 'host/ipap.example.com(a)example.com' for usage sig.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Loaded key for usage
'enc' from '/etc/ipa/custodia/server.keys'.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: JWK KID matches host's
service principal name 'host/ipap1.example.com(a)example.com'.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked host LDAP keys
'host/ipap1.example.com(a)example.com' for usage enc.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Local key for usage
'enc' matches key in LDAP.
[2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked server LDAP
keys 'host/ipap.example.com(a)example.com' for usage enc.
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'dm/DMHash': 406 Client Error: Failed to validate message: No
recipient matched the provided key["Failed: [ValueError('Decryption
failed.',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'ra/ipaCert': 406 Client Error: Failed to validate message: No
recipient matched the provided key["Failed: [ValueError('Decryption
failed.',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'ca/auditSigningCert cert-pki-ca': 406 Client Error: Failed to
validate message: No recipient matched the provided key["Failed:
[ValueError('Decryption failed.',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'ca/caSigningCert cert-pki-ca': 406 Client Error: Failed to validate
message: No recipient matched the provided key["Failed:
[ValueError('Decryption failed.',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'ca/ocspSigningCert cert-pki-ca': 406 Client Error: Failed to
validate message: No recipient matched the provided key["Failed:
[ValueError('Decryption failed.',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>:
Starting new HTTPS connection (1):
ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve
key 'ca/subsystemCert cert-pki-ca': 406 Client Error: Failed to validate
message: No recipient matched the provided key["Failed:
[ValueError('Decryption failed.',)]"].
[ERROR] One or more tests have failed.
On 3/24/19 10:35, Rob Crittenden wrote:
> Kat via FreeIPA-users wrote:
>> Hi all,
>>
>> So I was searching around, still trying to find an answer, but sadly it
>> seems to never have been solved. I found a repeat of the exact same
>> error I have been seeing, and because of it, unable to add any new
>> replicas --
>>
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>> If you look at that, it was 2017. No one ever responded with any help. I
>> posted the exact same problem this year and nada as well. I love IPA,
>> but am stuck with being able to expand the usage. Sure I have a RedHat
>> support contract, but even response there has been non-existent to solve
>> this problem, is anyone able to provide any help or am I stuck and need
>> to move away from RHEL and IPA? :-(
>>
>> Done configuring the web interface (httpd).
>> Configuring ipa-otpd
>> [1/2]: starting ipa-otpd
>> [2/2]: configuring ipa-otpd to start on boot
>> Done configuring ipa-otpd.
>> Configuring ipa-custodia
>> [1/4]: Generating ipa-custodia config file
>> [2/4]: Generating ipa-custodia keys
>> [3/4]: starting ipa-custodia
>> [4/4]: configuring ipa-custodia to start on boot
>> Done configuring ipa-custodia.
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> *ipapython.admintool: ERROR 406 Client Error: Failed to validate
>> message: No recipient matched the provided key["Failed:
>> [ValueError('Decryption failed.',)]"]*
>> ipapython.admintool: ERROR The ipa-replica-install command failed.
>> See /var/log/ipareplica-install.log for more information
> See if you have /usr/libexec/ipa/ipa-custodia-check. If you do run it.
>
> If not you can get a it from
https://github.com/freeipa/freeipa/pull/948
>
> This should help diagnose the issue.
>
> rob