ipaserver.install.custodiainstance places key material for ipa-custodia in two places:
ipaserver.install.custodiainstance
ipa-custodia
enc/$HOSTNAME
sig/$HOSTNAME
cn=custodia,cn=ipa,cn=etc,$SUFFIX
In the past I have seen either server.keys or LDAP entries be missing for various reasons. For example server.keys were accidentally removed. At the moment it's rather hard to recover from broken configuration. I managed to fix one case by messing with sysupgrade state file and running ipa-server-upgrade. I propose to augment CustodiaInstance.upgrade_instance() to make ipa-server-upgrade auto-recover from common cases. If either of the checks fail, just re-create the Custodia instance, generate new server keys and upload public keys to LDAP.
server.keys
ipa-server-upgrade
CustodiaInstance.upgrade_instance()
custodia.conf
The recovery feature could also be used to rotate keys.
RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1445029
Should we check our keys are present in LDAP at startup time and add them back if missing ?
Does ipa-custodia have permission to create new keys and upload them to LDAP?
Metadata Update from @pvoborni: - Issue set to the milestone: Future Releases
Metadata Update from @pvoborni: - Custom field external_tracker adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445029
I managed to fix one case by messing with sysupgrade state file and running ipa-server-upgrade
Did you go in and change
[custodia] installed = True
to False and rerun ipa-server-upgrade?
Looks like I'm dealing with this same issue.
I'm running into this while trying to install a CA server
Unexpected error - see /var/log/ipareplica-ca-install.log for details: ValueError: Incorrect number of results (2) searching forpublic key for host/
PR https://github.com/freeipa/freeipa/pull/1353 adds a script to regenerate keys and server config.
Metadata Update from @cheimes: - Issue assigned to cheimes
https://github.com/freeipa/freeipa/pull/1507 makes ipa-server-upgrade to re-generate the keys when /etc/ipa/custodia/server.keys file is missing.
/etc/ipa/custodia/server.keys
master:
ipa-4-6:
Login to comment on this ticket.