Issue #7964: GSSAPI failure causing LWCA key replication failure on f30 - freeipa

freeipa

#7964 GSSAPI failure causing LWCA key replication failure on f30

Closed: fixed 4 years ago by ftweedal. Opened 4 years ago by ftweedal.

Issue

LWCA key replication is failing on f30. Dogtag cannot retrieve the keys. In debug log:

2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Running ExternalProcessKeyRetriever
2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, caSigningCert cert-pki-ca 06e99390-24f8-4632-a26c-a01693fb87f
d, f30-0.ipa.local]
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] SEVERE: Failed to retrieve key from any host.
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] WARNING: KeyRetriever did not return a result.
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Retrying in 1946 seconds

In journal we see:

GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KCM:))

In ipa-pki-retrieve-key, credential acquisition (from /etc/pki/pki-tomcat/dogtag.keytab) succeeds but those credentials are not used when binding to LDAP.

Steps to Reproduce

Create server and CA replica on f30.
Create LWCA on one CA server.

Actual behavior

LWCA key replicaion failure on the other CA server, as described above.

Furthermore, the ca-show command fails; NPE due to missing keys:

[f30-1:~/dev/freeipa] [ master● ] ftweedal% ipa ca-show test1
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500.

Debug log:

2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: AuthorityResource.getCert()                                                                                                    
2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: content-type: null                                                                                                             
2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: accept: [application/pkix-cert]                                                                                                
2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] FINE: MessageFormatInterceptor: response format: application/pkix-cert                                                                                         
2019-05-30 14:56:41 [ajp-nio-127.0.0.1-8009-exec-5] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception                                                                    
org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException                            
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)                                                                                                           
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)          ....
Caused by: java.lang.NullPointerException
        at org.dogtagpki.server.ca.rest.AuthorityService.getCert(AuthorityService.java:147)
    ....

Expected behavior

no NPE or IPA command failure when executing ca-show and keys are missing.
Key replication succeeds.

ftweedal commented 4 years ago

PR: https://github.com/freeipa/freeipa/pull/3216

ftweedal commented 4 years ago

master:

854d305 Handle missing LWCA certificate or chain
c027b93 (HEAD) Fix CustodiaClient ccache handling

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

abbra commented 4 years ago

ipa-4-7:

16016e8 Handle missing LWCA certificate or chain
6e57abb Fix CustodiaClient ccache handling
5f0b0b5 CustodiaClient: use ldapi when ldap_uri not specified
54a5bbb CustodiaClient: fix IPASecStore config on ipa-4-7

ftweedal commented 4 years ago

ipa-4-6:

82a9fe7 Handle missing LWCA certificate or chain
436214a Fix CustodiaClient ccache handling
1f45586 CustodiaClient: use ldapi when ldap_uri not specified
c9d0ba0 CustodiaClient: fix IPASecStore config on ipa-4-7
e686949 (HEAD) Bump krb5 min version

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7964 GSSAPI failure causing LWCA key replication failure on f30 Closed: fixed 4 years ago by ftweedal. Opened 4 years ago by ftweedal.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Metadata

#7964 GSSAPI failure causing LWCA key replication failure on f30

Closed: fixed 4 years ago by ftweedal. Opened 4 years ago by ftweedal.