Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1282935
Description of problem: ipa server upgrade from 4.1.0-18 to 4.2.0-15 causes vault internal error Version-Release number of selected component (if applicable): ipa-server.x86_64 0:4.1.0-18.el7 ipa-server.x86_64 0:4.2.0-15.el7 How reproducible: Always Steps to Reproduce: 1.install 7.1 Master 2.ipa upgrade to newest 3.install kra 4.try vault commands Actual results: vault commands prompt out with internal error. Expected results: no error occurs Additional info: ##Master after upgrade## [root@mgmt7 ~]# ipa-kra-install -p Secret123 -U =================================================================== This program will setup Dogtag KRA for the IPA Server. Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [1/8]: configuring KRA instance [2/8]: create KRA agent [3/8]: restarting KRA [4/8]: configure certmonger for renewals [5/8]: configure certificate renewals [6/8]: configure HTTP to proxy connections [7/8]: add vault container [8/8]: apply LDAP updates Done configuring KRA server (pki-tomcatd). Restarting the directory server The ipa-kra-install command was successful [root@mgmt7 ~]# kinit admin Password for admin@TESTRELM.TEST: [root@mgmt7 ~]# ipa vault-add vupgrade --type=symmetric --password='mypa55word' ipa: ERROR: an internal error has occurred [root@mgmt7 ~]# echo Secret123|base64 U2VjcmV0MTIzCg== [root@mgmt7 ~]# ipa vault-archive vupgrade --password='mypa55word' --data='U2VjcmV0MTIzCg==' ipa: ERROR: an internal error has occurred [root@mgmt7 ~]# grep "KRA is not enabled" /var/log/ipaupgrade.log 2015-11-15T20:18:45Z INFO KRA is not enabled [root@mgmt7 ~]# ipa vault-add vupgrade --type=symmetric --password='mypa55word' ipa: ERROR: vault with name "vupgrade" already exists [root@mgmt7 ~]# ipa vault-archive vupgrade --password='mypa55word' --data='U2VjcmV0MTIzCg==' ipa: ERROR: an internal error has occurred From /var/log/httpd/error_log: . . . [Sun Nov 15 16:27:16.261426 2015] [:error] [pid 20785] ipa: ERROR: non-public: SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [Sun Nov 15 16:27:16.261468 2015] [:error] [pid 20785] Traceback (most recent call last): [Sun Nov 15 16:27:16.261475 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Sun Nov 15 16:27:16.261502 2015] [:error] [pid 20785] result = self.Command[name](*args, **options) [Sun Nov 15 16:27:16.261509 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ [Sun Nov 15 16:27:16.261515 2015] [:error] [pid 20785] ret = self.run(*args, **options) [Sun Nov 15 16:27:16.261521 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run [Sun Nov 15 16:27:16.261527 2015] [:error] [pid 20785] return self.execute(*args, **options) [Sun Nov 15 16:27:16.261533 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 1471, in execute [Sun Nov 15 16:27:16.261539 2015] [:error] [pid 20785] transport_cert = kra_client.system_certs.get_transport_cert() [Sun Nov 15 16:27:16.261545 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 298, in handler [Sun Nov 15 16:27:16.261552 2015] [:error] [pid 20785] return fn_call(inst, *args, **kwargs) [Sun Nov 15 16:27:16.261558 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/pki/systemcert.py", line 52, in get_transport_cert [Sun Nov 15 16:27:16.261564 2015] [:error] [pid 20785] response = self.connection.get(url, self.headers) [Sun Nov 15 16:27:16.261570 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/pki/client.py", line 115, in get [Sun Nov 15 16:27:16.261576 2015] [:error] [pid 20785] data=payload) [Sun Nov 15 16:27:16.261582 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 319, in get [Sun Nov 15 16:27:16.261588 2015] [:error] [pid 20785] return self.request('GET', url, **kwargs) [Sun Nov 15 16:27:16.261593 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 288, in request [Sun Nov 15 16:27:16.261600 2015] [:error] [pid 20785] resp = self.send(prep, stream=stream, timeout=timeout, verify=verify, cert=cert, proxies=proxies) [Sun Nov 15 16:27:16.261606 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 383, in send [Sun Nov 15 16:27:16.261612 2015] [:error] [pid 20785] r = adapter.send(request, **kwargs) [Sun Nov 15 16:27:16.261617 2015] [:error] [pid 20785] File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 213, in send [Sun Nov 15 16:27:16.261623 2015] [:error] [pid 20785] raise SSLError(e) [Sun Nov 15 16:27:16.261629 2015] [:error] [pid 20785] SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [Sun Nov 15 16:27:16.261937 2015] [:error] [pid 20785] ipa: INFO: [jsonserver_session] admin@TESTRELM.TEST: vaultconfig_show(all=False, raw=False, version=u'2.156'): SSLError
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.