Hi all,
So I was searching around, still trying to find an answer, but sadly it seems to never have been solved. I found a repeat of the exact same error I have been seeing, and because of it, unable to add any new replicas --
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
If you look at that, it was 2017. No one ever responded with any help. I posted the exact same problem this year and nada as well. I love IPA, but am stuck with being able to expand the usage. Sure I have a RedHat support contract, but even response there has been non-existent to solve this problem, is anyone able to provide any help or am I stuck and need to move away from RHEL and IPA? :-(
Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
*ipapython.admintool: ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]* ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Kat via FreeIPA-users wrote:
Hi all,
So I was searching around, still trying to find an answer, but sadly it seems to never have been solved. I found a repeat of the exact same error I have been seeing, and because of it, unable to add any new replicas --
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
If you look at that, it was 2017. No one ever responded with any help. I posted the exact same problem this year and nada as well. I love IPA, but am stuck with being able to expand the usage. Sure I have a RedHat support contract, but even response there has been non-existent to solve this problem, is anyone able to provide any help or am I stuck and need to move away from RHEL and IPA? :-(
Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
*ipapython.admintool: ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]* ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
See if you have /usr/libexec/ipa/ipa-custodia-check. If you do run it.
If not you can get a it from https://github.com/freeipa/freeipa/pull/948
This should help diagnose the issue.
rob
So, what is this telling me - which key is messed up - and how??
[root@ipap1 ~]# /usr/libexec/ipa/ipa-custodia-check ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Platform: Linux-3.10.0-957.5.1.el7.x86_64-x86_64-with-redhat-7.6-Maipo [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: IPA version: 4.6.4 [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: IPA vendor version: 4.6.4-10.el7_6.2 [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Realm: example.com [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Host: ipap1.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Remote server: ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File '/etc/ipa/default.conf' exists. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File '/etc/krb5.keytab' exists. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File '/etc/ipa/custodia/custodia.conf' exists. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: File '/etc/ipa/custodia/server.keys' exists. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Custodia client created. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Loaded key for usage 'sig' from '/etc/ipa/custodia/server.keys'. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: JWK KID matches host's service principal name 'host/ipap1.example.com@example.com'. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked host LDAP keys 'host/ipap1.example.com@example.com' for usage sig. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Local key for usage 'sig' matches key in LDAP. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked server LDAP keys 'host/ipap.example.com@example.com' for usage sig. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Loaded key for usage 'enc' from '/etc/ipa/custodia/server.keys'. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: JWK KID matches host's service principal name 'host/ipap1.example.com@example.com'. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked host LDAP keys 'host/ipap1.example.com@example.com' for usage enc. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Local key for usage 'enc' matches key in LDAP. [2019-03-24T12:06:49 ipa-custodia-tester] <INFO>: Checked server LDAP keys 'host/ipap.example.com@example.com' for usage enc. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'dm/DMHash': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'ra/ipaCert': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'ca/auditSigningCert cert-pki-ca': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'ca/caSigningCert cert-pki-ca': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'ca/ocspSigningCert cert-pki-ca': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] <INFO>: Starting new HTTPS connection (1): ipap.example.com [2019-03-24T12:06:49 ipa-custodia-tester] <ERROR>: Failed to retrieve key 'ca/subsystemCert cert-pki-ca': 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]. [ERROR] One or more tests have failed.
On 3/24/19 10:35, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
Hi all,
So I was searching around, still trying to find an answer, but sadly it seems to never have been solved. I found a repeat of the exact same error I have been seeing, and because of it, unable to add any new replicas --
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
If you look at that, it was 2017. No one ever responded with any help. I posted the exact same problem this year and nada as well. I love IPA, but am stuck with being able to expand the usage. Sure I have a RedHat support contract, but even response there has been non-existent to solve this problem, is anyone able to provide any help or am I stuck and need to move away from RHEL and IPA? :-(
Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
*ipapython.admintool: ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]* ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
See if you have /usr/libexec/ipa/ipa-custodia-check. If you do run it.
If not you can get a it from https://github.com/freeipa/freeipa/pull/948
This should help diagnose the issue.
rob
freeipa-users@lists.fedorahosted.org