I have 5 servers on CentOS 8 stream, and while trying to update to Rocky 9.1 I found that re-creating new replicas only with one server it is successful. And the others provide an error
It fails with this error (full log attached): [22/29]: Importing RA key Error storing key "keys/ra/ipaCert": CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-'] returned non-zero exit status 1: 'Traceback (most recent call last):\n File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in <module>\n main(ra_agent_parser())\n File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 114, in main\n common.main(parser, export_key, import_key)\n File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py", line 73, in main\n func(args, tmpdir, **kwargs)\n File "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py", line 69, in import_key\n ipautil.run(cmd, umask=0o027)\n File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run\n raise CalledProcessError(\nipapython.ipautil.CalledProcessError: CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\', \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\', \'/var/lib/ipa/ra-agent.pem\', \'-password\', \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1: \'Error outputting keys and certificates\\n80EB2D6B5D7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()\\n\')\n') [error] FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/ipa/ra-agent.key' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. So currently, I'm on a situation where I have servers: A,B - CentOS8 C,D,E - RHEL9 I know that only when I'm mastering with server B the recreation of replica will be successful. Even with the new server on RHEL9.1 no replica will be created due to custodia error. Any ideas on how to fix that? pki-ca on server A - 10.12.0.3 server B - 10.12.0.2 C,D,E - 11.2.1.1 ipa on A, B - 4.9.8.2 C,D,E - 4.10.0.7 I'm really worrying why only creating replica with server B works. Alex _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue