We are migrating our IPA servers to EL9 and I'm trying to setup kra on some of them. install-kra-fails with:
INFO: HTTP request: POST /ca/admin/ca/updateConnector HTTP/1.1 FINE: - Authorization: ******** FINE: - Content-Type: application/x-www-form-urlencoded FINE: - Content-Length: 2802 FINE: - Host: ipa-bld01.cora.nwra.com:443 FINE: - Connection: Keep-Alive FINE: - User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.13) FINE: Request: ca.connector.KRA.host=ipa-bld01.cora.nwra.com&ca.connector.KRA.timeout=30&ca.connector.KRA.transportCertNickname=transportCert+cert-pki-kra&ca.connector.KRA.port=8443&ca.connector.KRA.subsystemCert=MIIDYTCCAkmgAwIBAgIEH%2F8AfDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDYxODE0MDA0NloXDTI1MDYwNzE0MDA0NlowKjERMA8GA1UECgwITldSQS5DT00xFTATBgNVBAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHJ0GoDNW1t2atyKI4InkaItpxZxUnqziH9OiZ80EQqcaApWZYjfIym6y9cdpDw%2FWlLBuKbilkizmqlIqNv3EpaGf6xmLtFK2jnnvE2f4ie4d7oK4rDIFh7J7Gof52m03beUf5sJClmXAMh2h2w8mheYfOBa11lAek3nqvB55oWvO68%2B7ibU5WxBFA8rVkQfQSBWCHEOT01jIsy4ikd4lb5Uw8AO056TBz8PJm7%2BFAPpESxYlKyl7PW%2Bm3AfNTmUAn6sPX6knUwZpJg7g1910l%2FVulssCFhTbKihA4x033KTY4C87OSCaDcTnhBFrw8Rnlhbf3rLmCGGcUgglbFiJkCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBRJr%2FOpqx2kIY%2FfbYPKINHSOrCzVjA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6Ly9pcGEtY2EubndyYS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIQ%2Fz2MlHUFW3PjeMr9L1d7yXFh4g6MdX7Hrc8lU0xdHE4lAojA%2Fv%2BEsQCTxBGYTtWNqSuB0Ye%2FzUMykX5N9wQwcOvYdCVW9XyCElJZ%2BL6NzKkveWQ5ZRaTZg3HA1tBH7T2Q0cmkQlJea6MW5ggEM4n5F%2FCH8XIqZhY4FgmPOXxA6z%2Bz1ZwvBVCBXyHUOtj9pwDQ0yD46fCqhT4QyNka2Q2QUbny4DdzYD%2Fkw3GxBCoZ5phYlR305OruOmZC7SiPZhcpXj1nC3%2Bw6UcYLAy%2FbFQBr3U%2FvwGw2YBteT0FA9f3qZrP5lm7n4MUCoo6%2F%2BLfYu5jpiVrGqjulRKHG6XuC4s%3D&ca.connector.KRA.enable=true&ca.connector.KRA.local=false&sessionID=8655241075743862838&ca.connector.KRA.transportCert=MIIDbjCCAlagAwIBAgIEH%2F8AgjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIzMDkxMTE1MDEwOVoXDTI1MDgzMTE1MDEwOVowNzERMA8GA1UECgwITldSQS5DT00xIjAgBgNVBAMMGUtSQSBUcmFuc3BvcnQgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5LfY6zO14kvze71eMF%2FtWJWHQPxkv1r7JnHQzRjxNH8I%2FpOIToIfBcPIMUW0vQRGCENDyEitfOyr07A9E9RD9Q6Ji24i3rK31Q99AxTyJeQ2kT8NPwWELXCCPeWrRJl5JquxhhKxW0X215%2FRTPeTHy0oIYP0XKOXEGO2DgVndvwPdU6Zaa%2F9Kex32Rd0l1%2B5tb0Oky7n5qOhrvRvZBCy%2FY90pQQ2kbVvxL0Quy9DYB0gL1Yp44F5QFR6En6RIOVvQdweOuDo4E5XHAP4lLCIty%2B67LC37Nh0jyy2l%2FBtbs2DJ9OFYRFXmCEtfgENla2IZo%2BWWRZMcB4uW4V9N4VBLAgMBAAGjgYUwgYIwHwYDVR0jBBgwFoAUSa%2FzqasdpCGP322DyiDR0jqws1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL29jc3AwDgYDVR0PAQH%2FBAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBAUN%2FNNHYBXqIw7rdNaAv1Z%2FPcMsD%2B3fJQoTWMbLh%2BVWnxZmUqoky6PjulWIRBpFR3iyH%2BvvMdwvbldBMRlk6BbaSYAJwyV%2FzG%2FksnAEvMlVDWD%2BZOXNHeE3yphmuLwX5QaKka7TYSxTwvGImeCZM89jbiLpwsIbN%2BHABDE3GqRIwYnvXfts5tHuZFed4xRW00NYpDHZb6P9GmozkGVuT64u735DziTj4m2cVOVhEbrOBHX6Zw3SC%2FSYi2Y86uOlcNqu%2FmIlRXpQj90c72%2BtRHqkxzvQIQS%2FwCGpVFQw6l4qfqSDsdeGjf0hhzz3RwbAIgijO7NtiVrM1N0zVIF4NZ&ca.connector.KRA.uri=%2Fkra%2Fagent%2Fkra%2Fconnector INFO: HTTP response: HTTP/1.1 200 OK FINE: - Date: Thu, 31 Oct 2024 16:06:36 GMT FINE: - Server: Apache/2.4.57 (AlmaLinux) OpenSSL/3.0.7 mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9 FINE: - Content-Type: application/json FINE: - Content-Length: 159 FINE: - Vary: Accept-Encoding FINE: - Keep-Alive: timeout=30, max=99 FINE: - Connection: Keep-Alive FINE: Response: { "Response" : { "Status" : "1", "Error" : "Unable to add KRA connector for https://ipa-bld01.cora.nwra.com:8443: KRA connector already exists" } } FINE: CAClient: Response: { "Response" : { "Status" : "1", "Error" : "Unable to add KRA connector for https://ipa-bld01.cora.nwra.com:8443: KRA connector already exists" } }
If afterwards I run:
root@ipa-bld01.cora.nwra.com [~]# pki -u admin ca-kraconnector-show Enter Password: WARNING: UNTRUSTED ISSUER encountered on 'CN=ipa-bld01.cora.nwra.com,O=NWRA.COM' indicates a non-trusted CA cert 'CN=Certificate Authority,O=NWRA.COM' Trust this certificate (y/N)? y Host: europa.nwra.com:443 ipa-seattle01.nwra.com:443 ipa-monterey01.nwra.com:443 Enabled: true Local: false Timeout: 30 URI: /kra/agent/kra/connector Transport Cert: MIIDbjCCAlagAwIBAgIED/8AJjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhO V1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDEw MzIxNDAzMVoXDTE5MTIyNDIxNDAzMVowNzERMA8GA1UECgwITldSQS5DT00xIjAg BgNVBAMMGUtSQSBUcmFuc3BvcnQgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQD5LfY6zO14kvze71eMF/tWJWHQPxkv1r7JnHQzRjxN H8I/pOIToIfBcPIMUW0vQRGCENDyEitfOyr07A9E9RD9Q6Ji24i3rK31Q99AxTyJ eQ2kT8NPwWELXCCPeWrRJl5JquxhhKxW0X215/RTPeTHy0oIYP0XKOXEGO2DgVnd vwPdU6Zaa/9Kex32Rd0l1+5tb0Oky7n5qOhrvRvZBCy/Y90pQQ2kbVvxL0Quy9DY B0gL1Yp44F5QFR6En6RIOVvQdweOuDo4E5XHAP4lLCIty+67LC37Nh0jyy2l/Btb s2DJ9OFYRFXmCEtfgENla2IZo+WWRZMcB4uW4V9N4VBLAgMBAAGjgYUwgYIwHwYD VR0jBBgwFoAUSa/zqasdpCGP322DyiDR0jqws1YwOgYIKwYBBQUHAQEELjAsMCoG CCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL29jc3AwDgYDVR0P AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IB AQBU8zBbffwY9fR0wn11aOpNgcaZCfl7TPlB/kuZ8F9njZfeQaBJG33hM/tiqbFK bvhuO4Fyl2Jb+TQSym9S29aLzIoHC0CnmgIrMFgx1lq2nJgx2SKsJAnQCD8gHf2u gWBuN/ZXOl7MhJUJmIVvgkfjylicGqBsrqexDx1EyszqMtuAcJKj6n3sLceZeTWd iqXueywi5hgyMTd8wHNwUjHPT7LvwoHKWzlDY2V1Dz1rsxTo9TH4MGBK1RQJ58Rq i9oJvrCMLN0N6mg/ZidmyhhDQms6kQsm/cDMtH7E8VB0CjW0P7Mm8NHtYaEutpa8 MVULWU69YiSyXZCvf+kxY6dc
I'm trying to understand the info from this post: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/UXSLAJA3HXOO7FTORS7IGMWCKE2JT55W/
What is the correct state for IPA servers with respect to KRA connectors? Completely empty? Just themselves?
I tried removing all of the connectors on the new ipa-bld01 and then re-add it, but I get:
# pki -u admin ca-kraconnector-add --host ipa-bld01.nwra.com --port 8443 Enter Password: ERROR: Cannot add new host to existing connector. No connector currently exists
If I try to run ipa-kra-install again:
# ipa-kra-install Directory Manager password: KRA already installed The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
kra status:
root@ipa-bld01.cora.nwra.com [~]# pki-server subsystem-show kra Subsystem ID: kra Instance ID: pki-tomcat Enabled: False
I enabled it:
root@ipa-bld01.cora.nwra.com [~]# pki-server subsystem-enable kra ----------------------- Enabled "kra" subsystem ----------------------- Subsystem ID: kra Instance ID: pki-tomcat Enabled: True
But is it really working or not? Should I start over completely (for the 5th time)? What config do I need on my other IPA servers so this one can get installed?
Hi, this issue happens because there is a discrepancy on the master between the KRA transport cert in the NSS database and in /etc/pki/pki-tomcat/ca/CS.cfg (see https://pagure.io/freeipa/issue/9277).
Can you check the certificate in the NSS database with certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a | tail -n +2 | head -n -1 | tr -d '\r\n'? It should print out the cert in ASCII in a single line, without the header and footer. Then check the value in CS.cfg with grep 'ca.connector.KRA.transportCert' /etc/pki/pki-tomcat/ca/CS.cfg. If the values differ, you need to update the one in CS.cfg with the one from the NSS database.
certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a | tail -n +2 | head -n -1 | tr -d '\r\n'
grep 'ca.connector.KRA.transportCert' /etc/pki/pki-tomcat/ca/CS.cfg
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-59040 - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7637
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-59040, https://issues.redhat.com/browse/RHEL-71964 (was: https://issues.redhat.com/browse/RHEL-59040)
master:
ipa-4-12:
ipa-4-11:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
The fix needs an additional patch on the ipa-4-11 branch (see the failure in PR4286. Tentative patch in https://github.com/freeipa/freeipa/pull/7643
Log in to comment on this ticket.