Hi Antoine,
On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> Hi,
>
> This message was probably missed in all the log4shell exchanges.
> Any hint on how to rebuild the RA certificate with a newer algorythm before
migrating to Centos Stream 9?
The error you have is this:
----------------------------------------------------------
Error outputting keys
andcertificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties()
----------------------------------------------------------
This is produced by an OpenSSL 3.0.0 which does not have support for
legacy ciphers by default. This legacy cipher (RC2-40-CBC) was used by
PKI releases prior to
https://bugzilla.redhat.com/show_bug.cgi?id=1975406 was fixed.
Since in the CA replica installation case we get RA agent key transferred
securely from CA master, this key would be the one encrypted on CentOS
Stream 8 and would still use RC2-40-CBC, thus making it impossible to
consume on OpenSSL 3.0.0-enabled system.
I think we need a bug against IPA to re-encrypt this key on 'earlier'
system before 'newer' one could be deployed. Adding Christian for
visibility.
Could you please open one?
Worst case you can re-enble the legacy provider in code, but I think a
migration/upgrade script is probably a better idea.
>
> Many thanks
>
> On Sat, 2021-12-11 at 16:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
> >
> > Hello,
> >
> > I have currently a 2 node cluster running on CentOS Stream 8. In order to
upgrade to CentOS 9, I have removed one of the replica from the
> > configuration, installed a fresh centos stream 9 and run ipa-replica-install.
> > It fails with this error (full log attached):
> > [22/29]: Importing RA key
> > Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import',
'-']
> > returned non-zero exit status 1: 'Traceback (most recent call last):\n
File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
> > <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
114, in
> > main\n
> > common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line
73, in
> > main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
69, in
> > import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n
raise
> > CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\',
\'-in\',
> > \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\',
\'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\',
\'-password\',
> > \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
\'Error outputting keys and
> > certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
default library context, Algorithm (RC2-40-CBC : 0),
> > Properties ()\\n\')\n')
> > [error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > What can I do to make this upgrade work?
> > Looks like an unsupported algorithm for the RA key. I tried "sudo
update-crypto-policies --set LEGACY" without success.
> >
> >
> > Thank you
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
> --
> Antoine GatineauFreelance IT Consultant
> Phone: +32 499 50 80 04
>
Web: https://infra-monkey.com
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure