Hi Antoine,
On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
Hi,
This message was probably missed in all the log4shell exchanges.
Any hint on how to rebuild the RA certificate with a newer algorythm before migrating to
Centos Stream 9?
The error you have is this:
----------------------------------------------------------
Error outputting keys
andcertificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties()
----------------------------------------------------------
This is produced by an OpenSSL 3.0.0 which does not have support for
legacy ciphers by default. This legacy cipher (RC2-40-CBC) was used by
PKI releases prior to
https://bugzilla.redhat.com/show_bug.cgi?id=1975406 was fixed.
Since in the CA replica installation case we get RA agent key transferred
securely from CA master, this key would be the one encrypted on CentOS
Stream 8 and would still use RC2-40-CBC, thus making it impossible to
consume on OpenSSL 3.0.0-enabled system.
I think we need a bug against IPA to re-encrypt this key on 'earlier'
system before 'newer' one could be deployed. Adding Christian for
visibility.
Could you please open one?
Many thanks
On Sat, 2021-12-11 at 16:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
>
> Hello,
>
> I have currently a 2 node cluster running on CentOS Stream 8. In order to upgrade to
CentOS 9, I have removed one of the replica from the
> configuration, installed a fresh centos stream 9 and run ipa-replica-install.
> It fails with this error (full log attached):
> [22/29]: Importing RA key
> Error storing key "keys/ra/ipaCert": CalledProcessError(Command
['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import',
'-']
> returned non-zero exit status 1: 'Traceback (most recent call last):\n File
"/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
> <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
114, in
> main\n
> common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line
73, in
> main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
69, in
> import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n
raise
> CalledProcessError(\nipapython.ipautil.CalledProcessError: CalledProcessError(Command
[\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\',
\'-out\', \'/var/lib/ipa/ra-agent.pem\', \'-password\',
> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
\'Error outputting keys and
> certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
default library context, Algorithm (RC2-40-CBC : 0),
> Properties ()\\n\')\n')
> [error] FileNotFoundError: [Errno 2] No such file or directory:
'/var/lib/ipa/ra-agent.key'
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> What can I do to make this upgrade work?
> Looks like an unsupported algorithm for the RA key. I tried "sudo
update-crypto-policies --set LEGACY" without success.
>
>
> Thank you
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Antoine GatineauFreelance IT Consultant
Phone: +32 499 50 80 04
Web: https://infra-monkey.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland