LWCA key replication is failing on f30. Dogtag cannot retrieve the keys. In debug log:
2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Running ExternalProcessKeyRetriever 2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, caSigningCert cert-pki-ca 06e99390-24f8-4632-a26c-a01693fb87f d, f30-0.ipa.local] 2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] SEVERE: Failed to retrieve key from any host. 2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] WARNING: KeyRetriever did not return a result. 2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Retrying in 1946 seconds
In journal we see:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KCM:))
In ipa-pki-retrieve-key, credential acquisition (from /etc/pki/pki-tomcat/dogtag.keytab) succeeds but those credentials are not used when binding to LDAP.
ipa-pki-retrieve-key
/etc/pki/pki-tomcat/dogtag.keytab
LWCA key replicaion failure on the other CA server, as described above.
Furthermore, the ca-show command fails; NPE due to missing keys:
ca-show
[f30-1:~/dev/freeipa] [ master● ] ftweedal% ipa ca-show test1 ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500.
Debug log:
2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: AuthorityResource.getCert() 2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: content-type: null 2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: accept: [application/pkix-cert] 2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: response format: application/pkix-cert 2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) .... Caused by: java.lang.NullPointerException at org.dogtagpki.server.ca.rest.AuthorityService.getCert(AuthorityService.java:147) ....
PR: https://github.com/freeipa/freeipa/pull/3216
master:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
ipa-4-6:
Log in to comment on this ticket.