#6893 ipa-custodia: recover from missing keys
Opened 5 years ago by cheimes. Modified 4 years ago

ipaserver.install.custodiainstance places key material for ipa-custodia in two places:

  • /etc/ipa/custodia/server.keys with JWK private and public keys
  • JWK public keys in enc/$HOSTNAME and sig/$HOSTNAME in cn=custodia,cn=ipa,cn=etc,$SUFFIX

In the past I have seen either server.keys or LDAP entries be missing for various reasons. For example server.keys were accidentally removed. At the moment it's rather hard to recover from broken configuration. I managed to fix one case by messing with sysupgrade state file and running ipa-server-upgrade. I propose to augment CustodiaInstance.upgrade_instance() to make ipa-server-upgrade auto-recover from common cases. If either of the checks fail, just re-create the Custodia instance, generate new server keys and upload public keys to LDAP.

  • check that custodia.conf and server.keys are present
  • check that server.keys are valid
  • check that public keys in LDAP match server.keys

The recovery feature could also be used to rotate keys.

Should we check our keys are present in LDAP at startup time and add them back if missing ?

Does ipa-custodia have permission to create new keys and upload them to LDAP?

Metadata Update from @pvoborni:
- Issue set to the milestone: Future Releases

5 years ago

Metadata Update from @pvoborni:
- Custom field external_tracker adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445029

5 years ago
I managed to fix one case by messing with sysupgrade state file and running ipa-server-upgrade

Did you go in and change

installed = True

to False and rerun ipa-server-upgrade?

Looks like I'm dealing with this same issue.

I'm running into this while trying to install a CA server

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
ValueError: Incorrect number of results (2) searching forpublic key for host/

PR https://github.com/freeipa/freeipa/pull/1353 adds a script to regenerate keys and server config.

Metadata Update from @cheimes:
- Issue assigned to cheimes

4 years ago

https://github.com/freeipa/freeipa/pull/1507 makes ipa-server-upgrade to re-generate the keys when /etc/ipa/custodia/server.keys file is missing.


  • 387ae9f ipa-server-upgrade now checks custodia server keys


  • b216655 ipa-server-upgrade now checks custodia server keys

Login to comment on this ticket.