On Wed, 2021-12-15 at 11:22 +0200, Alexander Bokovoy via FreeIPA-users
wrote:
> On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> > Stupid Question... Where should I go to file a bug on centos stream? I know for
fedora or rhel, but not this one....
>
> Please open it against RHEL 8 as this is where it needs to be fixed in
> the first place.
Opened 2032806 but I didn't put the RHEL version, and I can't modify it now.
Can you change the product and version?
Thank you
>
> >
> > Thanks
> >
> > On Wed, 2021-12-15 at 09:56 +0100, Antoine Gatineau via FreeIPA-users wrote:
> > > On Wed, 2021-12-15 at 10:49 +0200, Alexander Bokovoy via FreeIPA-users
wrote:
> > > > Hi Antoine,
> > > >
> > > > On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> > > > > Hi,
> > > > >
> > > > > This message was probably missed in all the log4shell exchanges.
> > > > > Any hint on how to rebuild the RA certificate with a newer
algorythm before migrating to Centos Stream 9?
> > > >
> > > > The error you have is this:
> > > >
> > > > ----------------------------------------------------------
> > > > Error outputting keys
> > > > andcertificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope
> > > >
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
> > > > default library context, Algorithm (RC2-40-CBC : 0), Properties()
> > > > ----------------------------------------------------------
> > > >
> > > > This is produced by an OpenSSL 3.0.0 which does not have support for
> > > > legacy ciphers by default. This legacy cipher (RC2-40-CBC) was used
by
> > > > PKI releases prior to
> > > >
https://bugzilla.redhat.com/show_bug.cgi?id=1975406 was fixed.
> > > >
> > > > Since in the CA replica installation case we get RA agent key
transferred
> > > > securely from CA master, this key would be the one encrypted on
CentOS
> > > > Stream 8 and would still use RC2-40-CBC, thus making it impossible to
> > > > consume on OpenSSL 3.0.0-enabled system.
> > > >
> > > > I think we need a bug against IPA to re-encrypt this key on
'earlier'
> > > > system before 'newer' one could be deployed. Adding Christian
for
> > > > visibility.
> > > >
> > > > Could you please open one?
> > >
> > > Thank you for the quick response. I'll file a bug for that.
> > > Have a good day
> > > >
> > > >
> > > > >
> > > > > Many thanks
> > > > >
> > > > > On Sat, 2021-12-11 at 16:56 +0100, Antoine Gatineau via
FreeIPA-users wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I have currently a 2 node cluster running on CentOS Stream
8. In order to upgrade to CentOS 9, I have removed one of the replica
> > > > > > from
> > > > > > the
> > > > > > configuration, installed a fresh centos stream 9 and run
ipa-replica-install.
> > > > > > It fails with this error (full log attached):
> > > > > > [22/29]: Importing RA key
> > > > > > Error storing key "keys/ra/ipaCert":
CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent',
'--import',
> > > > > > '-']
> > > > > > returned non-zero exit status 1: 'Traceback (most recent
call last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent",
> > > > > > line
> > > > > > 8, in
> > > > > > <module>\n main(ra_agent_parser())\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
> > > > > > 114, in
> > > > > > main\n
> > > > > > common.main(parser, export_key, import_key)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
> > > > > > line
> > > > > > 73,
> > > > > > in
> > > > > > main\n func(args, tmpdir, **kwargs)\n File
"/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line
> > > > > > 69, in
> > > > > > import_key\n ipautil.run(cmd, umask=0o027)\n File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
> > > > > > run\n
> > > > > > raise
> > > > > > CalledProcessError(\nipapython.ipautil.CalledProcessError:
CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-
> > > > > > in\',
> > > > > > \'/tmp/tmp7jrs5dqp/import.p12\',
\'-clcerts\', \'-nokeys\', \'-out\',
\'/var/lib/ipa/ra-agent.pem\', \'-password\',
> > > > > > \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero
exit status 1: \'Error outputting keys and
> > > > > > certificates\\n80EB2D6B5D7F0000:error:0308010C:digital
envelope
> > > > > >
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default
library context, Algorithm (RC2-40-CBC :
> > > > > > 0),
> > > > > > Properties ()\\n\')\n')
> > > > > > [error] FileNotFoundError: [Errno 2] No such file or
directory: '/var/lib/ipa/ra-agent.key'
> > > > > > Your system may be partly configured.
> > > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > > > > >
> > > > > > What can I do to make this upgrade work?
> > > > > > Looks like an unsupported algorithm for the RA key. I tried
"sudo update-crypto-policies --set LEGACY" without success.
> > > > > >
> > > > > >
> > > > > > Thank you
> > > > > > _______________________________________________
> > > > > > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> > > > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> > > > >
> > > > > --
> > > > > Antoine GatineauFreelance IT Consultant
> > > > > Phone: +32 499 50 80 04
> > > > >
Web: https://infra-monkey.com
> > > > >
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> > > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> > > >
> > > >
> > > >
> > > > --
> > > > / Alexander Bokovoy
> > > > Sr. Principal Software Engineer
> > > > Security / Identity Management Engineering
> > > > Red Hat Limited, Finland
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> > >
> > > --
> > > Antoine GatineauFreelance IT Consultant
> > > Phone: +32 499 50 80 04
> > >
Web: https://infra-monkey.com
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> >
> > --
> > Antoine GatineauFreelance IT Consultant
> > Phone: +32 499 50 80 04
> >
Web: https://infra-monkey.com
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Antoine GatineauFreelance IT Consultant
Phone: +32 499 50 80 04
Web: https://infra-monkey.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland