#7964 GSSAPI failure causing LWCA key replication failure on f30
Closed: fixed 4 years ago by ftweedal. Opened 4 years ago by ftweedal.


LWCA key replication is failing on f30. Dogtag cannot retrieve the keys. In debug log:

2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Running ExternalProcessKeyRetriever
2019-05-30 14:53:03 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, caSigningCert cert-pki-ca 06e99390-24f8-4632-a26c-a01693fb87f
d, f30-0.ipa.local]
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] SEVERE: Failed to retrieve key from any host.
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] WARNING: KeyRetriever did not return a result.
2019-05-30 14:53:04 [KeyRetrieverRunner-06e99390-24f8-4632-a26c-a01693fb87fd] FINE: Retrying in 1946 seconds

In journal we see:

GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KCM:))

In ipa-pki-retrieve-key, credential acquisition (from /etc/pki/pki-tomcat/dogtag.keytab) succeeds but those credentials are not used when binding to LDAP.

Steps to Reproduce

  1. Create server and CA replica on f30.
  2. Create LWCA on one CA server.

Actual behavior

LWCA key replicaion failure on the other CA server, as described above.

Furthermore, the ca-show command fails; NPE due to missing keys:

[f30-1:~/dev/freeipa] [ master‚óŹ ] ftweedal% ipa ca-show test1
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. 

Debug log:

2019-05-30 14:56:41 [ajp-nio-] FINE: MessageFormatInterceptor: AuthorityResource.getCert()                                                                                                    
2019-05-30 14:56:41 [ajp-nio-] FINE: MessageFormatInterceptor: content-type: null                                                                                                             
2019-05-30 14:56:41 [ajp-nio-] FINE: MessageFormatInterceptor: accept: [application/pkix-cert]                                                                                                
2019-05-30 14:56:41 [ajp-nio-] FINE: MessageFormatInterceptor: response format: application/pkix-cert                                                                                         
2019-05-30 14:56:41 [ajp-nio-] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception                                                                    
org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException                            
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)                                                                                                           
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)          ....
Caused by: java.lang.NullPointerException
        at org.dogtagpki.server.ca.rest.AuthorityService.getCert(AuthorityService.java:147)

Expected behavior

  • no NPE or IPA command failure when executing ca-show and keys are missing.
  • Key replication succeeds.


  • 854d305 Handle missing LWCA certificate or chain
  • c027b93 (HEAD) Fix CustodiaClient ccache handling

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago


  • 16016e8 Handle missing LWCA certificate or chain
  • 6e57abb Fix CustodiaClient ccache handling
  • 5f0b0b5 CustodiaClient: use ldapi when ldap_uri not specified
  • 54a5bbb CustodiaClient: fix IPASecStore config on ipa-4-7


  • 82a9fe7 Handle missing LWCA certificate or chain
  • 436214a Fix CustodiaClient ccache handling
  • 1f45586 CustodiaClient: use ldapi when ldap_uri not specified
  • c9d0ba0 CustodiaClient: fix IPASecStore config on ipa-4-7
  • e686949 (HEAD) Bump krb5 min version

Login to comment on this ticket.