On Mon, Apr 30, 2018 at 03:30:34PM +0200, H. Frenzel via FreeIPA-users wrote:
Hi,
I tried to install a CA to the 2nd master a replicafile which was created on
the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import
EncryptedPrivateKeyInfo to token: (-8152) The key does not support the
requested operation.
What could be wrong here? - Please find the detailed debug log of
ipa-ca-install as attachment.
Thx & b/r
H.
Hi,
I've seen a couple of reports of this error recently. I do not know
what causes it, but based on my preliminary investigation I
recommend:
1. Clean up the failed replica via `ipa-server-install --uninstall`.
You may need to use `ipa-replica-manage del` or `ipa server-del`
as well, to clean up replication agreeements.
2. Restart Dogtag on the master. (But before you do, out of
interest, what is Dogtag's uptime?)
3. Attempt replica installation again.
If replica installation fails after the above steps, please provide
the /var/log/pki/pki-tomcat/ca/debug logs from both the master and
the replica-to-be.
Also, see if regular certificate issuance works on the master. (The
other times I saw this error, it was in fact a total failure of the
signing operation on the CA master, and nothing to do with replica
installation specifically.)
Thanks,
Fraser