#9692 ipa-kra-install fails - Unable to add KRA connector for URL KRA connector already exists
Closed: fixed 12 days ago by rcritten. Opened 3 months ago by orion.

Issue

We are migrating our IPA servers to EL9 and I'm trying to setup kra on some of them. install-kra-fails with:

INFO: HTTP request: POST /ca/admin/ca/updateConnector HTTP/1.1
FINE: - Authorization: ********
FINE: - Content-Type: application/x-www-form-urlencoded
FINE: - Content-Length: 2802
FINE: - Host: ipa-bld01.cora.nwra.com:443
FINE: - Connection: Keep-Alive
FINE: - User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.13)
FINE: Request:
ca.connector.KRA.host=ipa-bld01.cora.nwra.com&ca.connector.KRA.timeout=30&ca.connector.KRA.transportCertNickname=transportCert+cert-pki-kra&ca.connector.KRA.port=8443&ca.connector.KRA.subsystemCert=MIIDYTCCAkmgAwIBAgIEH%2F8AfDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDYxODE0MDA0NloXDTI1MDYwNzE0MDA0NlowKjERMA8GA1UECgwITldSQS5DT00xFTATBgNVBAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHJ0GoDNW1t2atyKI4InkaItpxZxUnqziH9OiZ80EQqcaApWZYjfIym6y9cdpDw%2FWlLBuKbilkizmqlIqNv3EpaGf6xmLtFK2jnnvE2f4ie4d7oK4rDIFh7J7Gof52m03beUf5sJClmXAMh2h2w8mheYfOBa11lAek3nqvB55oWvO68%2B7ibU5WxBFA8rVkQfQSBWCHEOT01jIsy4ikd4lb5Uw8AO056TBz8PJm7%2BFAPpESxYlKyl7PW%2Bm3AfNTmUAn6sPX6knUwZpJg7g1910l%2FVulssCFhTbKihA4x033KTY4C87OSCaDcTnhBFrw8Rnlhbf3rLmCGGcUgglbFiJkCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBRJr%2FOpqx2kIY%2FfbYPKINHSOrCzVjA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6Ly9pcGEtY2EubndyYS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIQ%2Fz2MlHUFW3PjeMr9L1d7yXFh4g6MdX7Hrc8lU0xdHE4lAojA%2Fv%2BEsQCTxBGYTtWNqSuB0Ye%2FzUMykX5N9wQwcOvYdCVW9XyCElJZ%2BL6NzKkveWQ5ZRaTZg3HA1tBH7T2Q0cmkQlJea6MW5ggEM4n5F%2FCH8XIqZhY4FgmPOXxA6z%2Bz1ZwvBVCBXyHUOtj9pwDQ0yD46fCqhT4QyNka2Q2QUbny4DdzYD%2Fkw3GxBCoZ5phYlR305OruOmZC7SiPZhcpXj1nC3%2Bw6UcYLAy%2FbFQBr3U%2FvwGw2YBteT0FA9f3qZrP5lm7n4MUCoo6%2F%2BLfYu5jpiVrGqjulRKHG6XuC4s%3D&ca.connector.KRA.enable=true&ca.connector.KRA.local=false&sessionID=8655241075743862838&ca.connector.KRA.transportCert=MIIDbjCCAlagAwIBAgIEH%2F8AgjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDkxMTE1MDEwOVoXDTI1MDgzMTE1MDEwOVowNzERMA8GA1UECgwITldSQS5DT00xIjAgBgNVBAMMGUtSQSBUcmFuc3BvcnQgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5LfY6zO14kvze71eMF%2FtWJWHQPxkv1r7JnHQzRjxNH8I%2FpOIToIfBcPIMUW0vQRGCENDyEitfOyr07A9E9RD9Q6Ji24i3rK31Q99AxTyJeQ2kT8NPwWELXCCPeWrRJl5JquxhhKxW0X215%2FRTPeTHy0oIYP0XKOXEGO2DgVndvwPdU6Zaa%2F9Kex32Rd0l1%2B5tb0Oky7n5qOhrvRvZBCy%2FY90pQQ2kbVvxL0Quy9DYB0gL1Yp44F5QFR6En6RIOVvQdweOuDo4E5XHAP4lLCIty%2B67LC37Nh0jyy2l%2FBtbs2DJ9OFYRFXmCEtfgENla2IZo%2BWWRZMcB4uW4V9N4VBLAgMBAAGjgYUwgYIwHwYDVR0jBBgwFoAUSa%2FzqasdpCGP322DyiDR0jqws1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL29jc3AwDgYDVR0PAQH%2FBAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBAUN%2FNNHYBXqIw7rdNaAv1Z%2FPcMsD%2B3fJQoTWMbLh%2BVWnxZmUqoky6PjulWIRBpFR3iyH%2BvvMdwvbldBMRlk6BbaSYAJwyV%2FzG%2FksnAEvMlVDWD%2BZOXNHeE3yphmuLwX5QaKka7TYSxTwvGImeCZM89jbiLpwsIbN%2BHABDE3GqRIwYnvXfts5tHuZFed4xRW00NYpDHZb6P9GmozkGVuT64u735DziTj4m2cVOVhEbrOBHX6Zw3SC%2FSYi2Y86uOlcNqu%2FmIlRXpQj90c72%2BtRHqkxzvQIQS%2FwCGpVFQw6l4qfqSDsdeGjf0hhzz3RwbAIgijO7NtiVrM1N0zVIF4NZ&ca.connector.KRA.uri=%2Fkra%2Fagent%2Fkra%2Fconnector
INFO: HTTP response: HTTP/1.1 200 OK
FINE: - Date: Thu, 31 Oct 2024 16:06:36 GMT
FINE: - Server: Apache/2.4.57 (AlmaLinux) OpenSSL/3.0.7 mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9
FINE: - Content-Type: application/json
FINE: - Content-Length: 159
FINE: - Vary: Accept-Encoding
FINE: - Keep-Alive: timeout=30, max=99
FINE: - Connection: Keep-Alive
FINE: Response:
{
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://ipa-bld01.cora.nwra.com:8443: KRA connector already exists"
  }
}
FINE: CAClient: Response: {
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://ipa-bld01.cora.nwra.com:8443: KRA connector already exists"
  }
}

If afterwards I run:

root@ipa-bld01.cora.nwra.com [~]# pki -u admin ca-kraconnector-show
Enter Password:
WARNING: UNTRUSTED ISSUER encountered on 'CN=ipa-bld01.cora.nwra.com,O=NWRA.COM' indicates a non-trusted CA cert 'CN=Certificate Authority,O=NWRA.COM'
Trust this certificate (y/N)? y

Host: europa.nwra.com:443 ipa-seattle01.nwra.com:443 ipa-monterey01.nwra.com:443
Enabled: true
Local: false
Timeout: 30
URI: /kra/agent/kra/connector
Transport Cert:

MIIDbjCCAlagAwIBAgIED/8AJjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhO
V1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDEw
MzIxNDAzMVoXDTE5MTIyNDIxNDAzMVowNzERMA8GA1UECgwITldSQS5DT00xIjAg
BgNVBAMMGUtSQSBUcmFuc3BvcnQgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQD5LfY6zO14kvze71eMF/tWJWHQPxkv1r7JnHQzRjxN
H8I/pOIToIfBcPIMUW0vQRGCENDyEitfOyr07A9E9RD9Q6Ji24i3rK31Q99AxTyJ
eQ2kT8NPwWELXCCPeWrRJl5JquxhhKxW0X215/RTPeTHy0oIYP0XKOXEGO2DgVnd
vwPdU6Zaa/9Kex32Rd0l1+5tb0Oky7n5qOhrvRvZBCy/Y90pQQ2kbVvxL0Quy9DY
B0gL1Yp44F5QFR6En6RIOVvQdweOuDo4E5XHAP4lLCIty+67LC37Nh0jyy2l/Btb
s2DJ9OFYRFXmCEtfgENla2IZo+WWRZMcB4uW4V9N4VBLAgMBAAGjgYUwgYIwHwYD
VR0jBBgwFoAUSa/zqasdpCGP322DyiDR0jqws1YwOgYIKwYBBQUHAQEELjAsMCoG
CCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL29jc3AwDgYDVR0P
AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB
AQBU8zBbffwY9fR0wn11aOpNgcaZCfl7TPlB/kuZ8F9njZfeQaBJG33hM/tiqbFK
bvhuO4Fyl2Jb+TQSym9S29aLzIoHC0CnmgIrMFgx1lq2nJgx2SKsJAnQCD8gHf2u
gWBuN/ZXOl7MhJUJmIVvgkfjylicGqBsrqexDx1EyszqMtuAcJKj6n3sLceZeTWd
iqXueywi5hgyMTd8wHNwUjHPT7LvwoHKWzlDY2V1Dz1rsxTo9TH4MGBK1RQJ58Rq
i9oJvrCMLN0N6mg/ZidmyhhDQms6kQsm/cDMtH7E8VB0CjW0P7Mm8NHtYaEutpa8
MVULWU69YiSyXZCvf+kxY6dc

I'm trying to understand the info from this post: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/UXSLAJA3HXOO7FTORS7IGMWCKE2JT55W/

What is the correct state for IPA servers with respect to KRA connectors? Completely empty? Just themselves?

I tried removing all of the connectors on the new ipa-bld01 and then re-add it, but I get:

# pki -u admin ca-kraconnector-add --host ipa-bld01.nwra.com --port 8443
Enter Password:
ERROR: Cannot add new host to existing connector.  No connector currently exists

If I try to run ipa-kra-install again:

# ipa-kra-install
Directory Manager password:

KRA already installed
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

kra status:

root@ipa-bld01.cora.nwra.com [~]# pki-server subsystem-show kra
  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: False

I enabled it:

root@ipa-bld01.cora.nwra.com [~]# pki-server subsystem-enable kra
-----------------------
Enabled "kra" subsystem
-----------------------
  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: True

But is it really working or not? Should I start over completely (for the 5th time)? What config do I need on my other IPA servers so this one can get installed?

Hi,
this issue happens because there is a discrepancy on the master between the KRA transport cert in the NSS database and in /etc/pki/pki-tomcat/ca/CS.cfg (see https://pagure.io/freeipa/issue/9277).

Can you check the certificate in the NSS database with certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a | tail -n +2 | head -n -1 | tr -d '\r\n'? It should print out the cert in ASCII in a single line, without the header and footer.
Then check the value in CS.cfg with grep 'ca.connector.KRA.transportCert' /etc/pki/pki-tomcat/ca/CS.cfg.
If the values differ, you need to update the one in CS.cfg with the one from the NSS database.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-59040
- Issue assigned to frenaud

a month ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7637

a month ago

master:

  • 76dfadd Installation test: KRA on replica after cert renewal
  • 10c3464 KRA cert renewal: update ca.connector.KRA.transportCert

ipa-4-12:

  • ff5bb48 Installation test: KRA on replica after cert renewal
  • a707083 KRA cert renewal: update ca.connector.KRA.transportCert

ipa-4-11:

  • b25885b Installation test: KRA on replica after cert renewal
  • 13e4fde KRA cert renewal: update ca.connector.KRA.transportCert

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

12 days ago

The fix needs an additional patch on the ipa-4-11 branch (see the failure in PR4286. Tentative patch in https://github.com/freeipa/freeipa/pull/7643

ipa-4-11:

  • ff9826a KRA cert renewal: update the certs in kra/CS.cfg
  • 37d79c6 SELinux: allow certmonger processes to write /etc/pki/pki-tomcat/kra/CS.cfg

Log in to comment on this ticket.

Metadata