I migrated a 4.4.x FreeIPA server to git master with new privilege separation. Now all vault operations are failing because the KRA agent certificate /var/lib/ipa/radb/kra-agent.pem is missing. /var/lib/ipa/radb/ contains a NSSDB but not kra-agent.pem.
[Wed Feb 15 13:01:23.871253 2017] [wsgi:error] [pid 6286] ipa: INFO: [jsonserver_kerb] admin@IPA.EXAMPLE: vault_show/1(u'perfvault', version=u'2.215'): SUCCESS [Wed Feb 15 13:01:24.012127 2017] [wsgi:error] [pid 6287] ipa: ERROR: non-public: IOError: [Errno 2] No such file or directory [Wed Feb 15 13:01:24.012150 2017] [wsgi:error] [pid 6287] Traceback (most recent call last): [Wed Feb 15 13:01:24.012151 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute [Wed Feb 15 13:01:24.012153 2017] [wsgi:error] [pid 6287] result = command(*args, **options) [Wed Feb 15 13:01:24.012155 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Wed Feb 15 13:01:24.012156 2017] [wsgi:error] [pid 6287] return self.__do_call(*args, **options) [Wed Feb 15 13:01:24.012157 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Wed Feb 15 13:01:24.012174 2017] [wsgi:error] [pid 6287] ret = self.run(*args, **options) [Wed Feb 15 13:01:24.012175 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Wed Feb 15 13:01:24.012177 2017] [wsgi:error] [pid 6287] return self.execute(*args, **options) [Wed Feb 15 13:01:24.012178 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/vault.py", line 991, in execute [Wed Feb 15 13:01:24.012180 2017] [wsgi:error] [pid 6287] transport_cert = kra_client.system_certs.get_transport_cert() [Wed Feb 15 13:01:24.012181 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 304, in handler [Wed Feb 15 13:01:24.012182 2017] [wsgi:error] [pid 6287] return fn_call(inst, *args, **kwargs) [Wed Feb 15 13:01:24.012184 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/pki/systemcert.py", line 54, in get_transport_cert [Wed Feb 15 13:01:24.012185 2017] [wsgi:error] [pid 6287] response = self.connection.get(url, self.headers) [Wed Feb 15 13:01:24.012186 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/pki/client.py", line 43, in wrapper [Wed Feb 15 13:01:24.012188 2017] [wsgi:error] [pid 6287] return func(self, *args, **kwargs) [Wed Feb 15 13:01:24.012196 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/pki/client.py", line 143, in get [Wed Feb 15 13:01:24.012197 2017] [wsgi:error] [pid 6287] data=payload) [Wed Feb 15 13:01:24.012199 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 487, in get [Wed Feb 15 13:01:24.012200 2017] [wsgi:error] [pid 6287] return self.request('GET', url, **kwargs) [Wed Feb 15 13:01:24.012201 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request [Wed Feb 15 13:01:24.012203 2017] [wsgi:error] [pid 6287] resp = self.send(prep, **send_kwargs) [Wed Feb 15 13:01:24.012204 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send [Wed Feb 15 13:01:24.012205 2017] [wsgi:error] [pid 6287] r = adapter.send(request, **kwargs) [Wed Feb 15 13:01:24.012206 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 403, in send [Wed Feb 15 13:01:24.012208 2017] [wsgi:error] [pid 6287] timeout=timeout [Wed Feb 15 13:01:24.012209 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 578, in urlopen [Wed Feb 15 13:01:24.012210 2017] [wsgi:error] [pid 6287] chunked=chunked) [Wed Feb 15 13:01:24.012211 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 351, in _make_request [Wed Feb 15 13:01:24.012213 2017] [wsgi:error] [pid 6287] self._validate_conn(conn) [Wed Feb 15 13:01:24.012214 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 814, in _validate_conn [Wed Feb 15 13:01:24.012216 2017] [wsgi:error] [pid 6287] conn.connect() [Wed Feb 15 13:01:24.012217 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 289, in connect [Wed Feb 15 13:01:24.012218 2017] [wsgi:error] [pid 6287] ssl_version=resolved_ssl_version) [Wed Feb 15 13:01:24.012219 2017] [wsgi:error] [pid 6287] File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py", line 306, in ssl_wrap_socket [Wed Feb 15 13:01:24.012221 2017] [wsgi:error] [pid 6287] context.load_cert_chain(certfile, keyfile) [Wed Feb 15 13:01:24.012222 2017] [wsgi:error] [pid 6287] IOError: [Errno 2] No such file or directory [Wed Feb 15 13:01:24.012422 2017] [wsgi:error] [pid 6287] ipa: INFO: [jsonserver_kerb] admin@IPA.EXAMPLE: vaultconfig_show/1(version=u'2.215'): InternalError
Honza suggest to remove {{{export_kra_agent_pem = True}}} from {{{/var/lib/ipa/sysupgrade/sysupgrade.state}}} and re-run {{{ipa-server-upgrade}}}. The workaround fixed the issue for me. Honza is working on a permanent solution.
master:
Metadata Update from @cheimes: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5
Log in to comment on this ticket.