Am 01.05.2018 09:33, schrieb Fraser Tweedale via FreeIPA-users:
> ipa : DEBUG stderr=TokenException: Failed to import
> EncryptedPrivateKeyInfo to token: (-8152) The key does not support
> the
> requested operation.
1. Clean up the failed replica via `ipa-server-install --uninstall`.
You may need to use `ipa-replica-manage del` or `ipa server-del`
as well, to clean up replication agreeements.
2. Restart Dogtag on the master. (But before you do, out of
interest, what is Dogtag's uptime?)
3. Attempt replica installation again.
I did the above few times. The recent dogtag uptime was 7h.
# service pki-tomcatd@pki-tomcat status
Redirecting to /bin/systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled;
vendor preset: disabled)
Active: active (running) since Mi 2018-05-02 06:30:44 CEST; 7h ago
Process: 13876 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 14018 (java)
Also, see if regular certificate issuance works on the master. (The
other times I saw this error, it was in fact a total failure of the
signing operation on the CA master, and nothing to do with replica
installation specifically.)
Certificate issuance works as far as I could see. I tried with
'ipa-getcert request -d /tmp/test' and checked with:
# ipa-getcert request -d /tmp/test
Request ID '20180502121204':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate
DB'
certificate:
type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=ipa-01.example.com,O=EXAMPLE.COM
expires: 2020-05-02 12:12:05 UTC
dns:
ipa-01.example.com
principal name: host/ipa-01.example.com(a)EXAMPLE.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
If replica installation fails after the above steps, please provide
the /var/log/pki/pki-tomcat/ca/debug logs from both the master and
the replica-to-be.
I tried it again to produce the requested logs. I did the following
steps:
1. on master: ipa-replica-prepare (s.
pki-tomcat_ca_debug.log.ipa-replica-prepare.1)
2. on replica: ipa-replica-install
This failed with
'ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR cannot connect to 'ldaps://ipa-01.example.com': TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.'
Then I needed to perform the following steps to get it to work
(reproducable each time - both steps are required)
3. on master: ipa-server-upgrade (s.
pki-tomcat_ca_debug.log.ipa-server-upgrade.gz)
4. on master: ipa-certupdate (s.
pki-tomcat_ca_debug.log.ipa-certupdate.gz)
After this, I retried:
5. on master: ipa-replica-prepare (s.
pki-tomcat_ca_debug.log.ipa-replica-prepare.2)
6. on replica: ipa-replica-install (s.
pki-tomcat_ca_debug.log.ipa-replica-install.2)
This worked, so I tried to install the CA replication
7. on replica: ipa-ca-install (s.
pki-tomcat_ca_debug.log.ipa-ca-install.2)
This failed again with 'ipa : DEBUG
stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to
token: (-8152) The key does not support the requested operation.'
There is no /var/log/pki/pki-tomcat/ca/debug created on the replica,
but I attached the pki-ca-spawn.20180502135730.log.
Thx for help
H.