freeipa

Clone
Source Code
GIT

#6675 KRA_AGENT_PEM file is missing
Closed: Fixed None Opened 7 years ago by cheimes.

Closed: Fixed
Reopen Issue

I migrated a 4.4.x FreeIPA server to git master with new privilege separation. Now all vault operations are failing because the KRA agent certificate /var/lib/ipa/radb/kra-agent.pem is missing. /var/lib/ipa/radb/ contains a NSSDB but not kra-agent.pem.

[Wed Feb 15 13:01:23.871253 2017] [wsgi:error] [pid 6286] ipa: INFO: [jsonserver_kerb] admin@IPA.EXAMPLE: vault_show/1(u'perfvault', version=u'2.215'): SUCCESS
[Wed Feb 15 13:01:24.012127 2017] [wsgi:error] [pid 6287] ipa: ERROR: non-public: IOError: [Errno 2] No such file or directory
[Wed Feb 15 13:01:24.012150 2017] [wsgi:error] [pid 6287] Traceback (most recent call last):
[Wed Feb 15 13:01:24.012151 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Wed Feb 15 13:01:24.012153 2017] [wsgi:error] [pid 6287]     result = command(*args, **options)
[Wed Feb 15 13:01:24.012155 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Feb 15 13:01:24.012156 2017] [wsgi:error] [pid 6287]     return self.__do_call(*args, **options)
[Wed Feb 15 13:01:24.012157 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Feb 15 13:01:24.012174 2017] [wsgi:error] [pid 6287]     ret = self.run(*args, **options)
[Wed Feb 15 13:01:24.012175 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Feb 15 13:01:24.012177 2017] [wsgi:error] [pid 6287]     return self.execute(*args, **options)
[Wed Feb 15 13:01:24.012178 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/vault.py", line 991, in execute
[Wed Feb 15 13:01:24.012180 2017] [wsgi:error] [pid 6287]     transport_cert = kra_client.system_certs.get_transport_cert()
[Wed Feb 15 13:01:24.012181 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 304, in handler
[Wed Feb 15 13:01:24.012182 2017] [wsgi:error] [pid 6287]     return fn_call(inst, *args, **kwargs)
[Wed Feb 15 13:01:24.012184 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/pki/systemcert.py", line 54, in get_transport_cert
[Wed Feb 15 13:01:24.012185 2017] [wsgi:error] [pid 6287]     response = self.connection.get(url, self.headers)
[Wed Feb 15 13:01:24.012186 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/pki/client.py", line 43, in wrapper
[Wed Feb 15 13:01:24.012188 2017] [wsgi:error] [pid 6287]     return func(self, *args, **kwargs)
[Wed Feb 15 13:01:24.012196 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/pki/client.py", line 143, in get
[Wed Feb 15 13:01:24.012197 2017] [wsgi:error] [pid 6287]     data=payload)
[Wed Feb 15 13:01:24.012199 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 487, in get
[Wed Feb 15 13:01:24.012200 2017] [wsgi:error] [pid 6287]     return self.request('GET', url, **kwargs)
[Wed Feb 15 13:01:24.012201 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
[Wed Feb 15 13:01:24.012203 2017] [wsgi:error] [pid 6287]     resp = self.send(prep, **send_kwargs)
[Wed Feb 15 13:01:24.012204 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
[Wed Feb 15 13:01:24.012205 2017] [wsgi:error] [pid 6287]     r = adapter.send(request, **kwargs)
[Wed Feb 15 13:01:24.012206 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 403, in send
[Wed Feb 15 13:01:24.012208 2017] [wsgi:error] [pid 6287]     timeout=timeout
[Wed Feb 15 13:01:24.012209 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 578, in urlopen
[Wed Feb 15 13:01:24.012210 2017] [wsgi:error] [pid 6287]     chunked=chunked)
[Wed Feb 15 13:01:24.012211 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 351, in _make_request
[Wed Feb 15 13:01:24.012213 2017] [wsgi:error] [pid 6287]     self._validate_conn(conn)
[Wed Feb 15 13:01:24.012214 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 814, in _validate_conn
[Wed Feb 15 13:01:24.012216 2017] [wsgi:error] [pid 6287]     conn.connect()
[Wed Feb 15 13:01:24.012217 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 289, in connect
[Wed Feb 15 13:01:24.012218 2017] [wsgi:error] [pid 6287]     ssl_version=resolved_ssl_version)
[Wed Feb 15 13:01:24.012219 2017] [wsgi:error] [pid 6287]   File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py", line 306, in ssl_wrap_socket
[Wed Feb 15 13:01:24.012221 2017] [wsgi:error] [pid 6287]     context.load_cert_chain(certfile, keyfile)
[Wed Feb 15 13:01:24.012222 2017] [wsgi:error] [pid 6287] IOError: [Errno 2] No such file or directory
[Wed Feb 15 13:01:24.012422 2017] [wsgi:error] [pid 6287] ipa: INFO: [jsonserver_kerb] admin@IPA.EXAMPLE: vaultconfig_show/1(version=u'2.215'): InternalError

Honza suggest to remove {{{export_kra_agent_pem = True}}} from {{{/var/lib/ipa/sysupgrade/sysupgrade.state}}} and re-run {{{ipa-server-upgrade}}}. The workaround fixed the issue for me. Honza is working on a permanent solution.

master:

  • 0862e32 server upgrade: always upgrade KRA agent PEM file

Metadata Update from @cheimes:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
defect
None
None
KRA
None
None
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.