I have 5 servers on CentOS 8 stream, and while trying to update to
Rocky 9.1 I found that re-creating new replicas only with one server
it is successful. And the others provide an error
It fails with this error (full log attached):
[22/29]: Importing RA key
Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
returned non-zero exit status 1: 'Traceback (most recent call last):\n
File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
<module>\n main(ra_agent_parser())\n File
line 114, in main\n
common.main(parser, export_key, import_key)\n File
line 73, in
main\n func(args, tmpdir, **kwargs)\n File
line 69, in
import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
run\n raise
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
\'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
\'/var/lib/ipa/ra-agent.pem\', \'-password\',
\'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
\'Error outputting keys and
certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
default library context, Algorithm (RC2-40-CBC : 0),
Properties ()\\n\')\n')
[error] FileNotFoundError: [Errno 2] No such file or directory:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
So currently, I'm on a situation where I have servers:
A,B - CentOS8
I know that only when I'm mastering with server B the recreation of
replica will be successful. Even with the new server on RHEL9.1 no
replica will be created due to custodia error.
Any ideas on how to fix that?
pki-ca on server A -
server B -
C,D,E -
ipa on A, B -
C,D,E -
I'm really worrying why only creating replica with server B works.