Installing the KRA leaves the client non-functional. Quoting Ade:
Did some more investigation on this. It turns out that the problem is in the PEM file that is generated (/etc/httpd/aliad/agent.pem) There are in fact two problems. One is that the agent.pem that is available there is for the IPA RA agent, who is not an agent on the KRA. Also, it appears that the PEM file itself may have some weirdness in its format. The PEM file is generated by the code _generate_pem_file() in dogtag.py. That code will need to be re-examined and fixed. I would like to leave that task to Endi - as he needs to decide how/which agent will be used to communicate with the KRA.
Did some more investigation on this. It turns out that the problem is in the PEM file that is generated (/etc/httpd/aliad/agent.pem)
There are in fact two problems. One is that the agent.pem that is available there is for the IPA RA agent, who is not an agent on the KRA. Also, it appears that the PEM file itself may have some weirdness in its format.
The PEM file is generated by the code _generate_pem_file() in dogtag.py. That code will need to be re-examined and fixed. I would like to leave that task to Endi - as he needs to decide how/which agent will be used to communicate with the KRA.
A workaround is to run:
openssl pkcs12 -in /root/ca-agent.p12 -out /etc/httpd/alias/agent.pem -nodes
attachment freeipa-edewata-0352-1-Fixed-KRA-backend.patch
master:
Metadata Update from @pviktori: - Issue assigned to edewata - Issue set to the milestone: FreeIPA 4.2 Backlog
Login to comment on this ticket.