Am 01.05.2018 09:33, schrieb Fraser Tweedale via FreeIPA-users:
ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.
Clean up the failed replica via `ipa-server-install --uninstall`. You may need to use `ipa-replica-manage del` or `ipa server-del` as well, to clean up replication agreeements.
Restart Dogtag on the master. (But before you do, out of interest, what is Dogtag's uptime?)
Attempt replica installation again.
I did the above few times. The recent dogtag uptime was 7h.
# service pki-tomcatd@pki-tomcat status Redirecting to /bin/systemctl status pki-tomcatd@pki-tomcat.service ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Mi 2018-05-02 06:30:44 CEST; 7h ago Process: 13876 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) Main PID: 14018 (java)
Also, see if regular certificate issuance works on the master. (The other times I saw this error, it was in fact a total failure of the signing operation on the CA master, and nothing to do with replica installation specifically.)
Certificate issuance works as far as I could see. I tried with 'ipa-getcert request -d /tmp/test' and checked with:
# ipa-getcert request -d /tmp/test Request ID '20180502121204': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate DB' certificate: type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa-01.example.com,O=EXAMPLE.COM expires: 2020-05-02 12:12:05 UTC dns: ipa-01.example.com principal name: host/ipa-01.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
If replica installation fails after the above steps, please provide the /var/log/pki/pki-tomcat/ca/debug logs from both the master and the replica-to-be.
I tried it again to produce the requested logs. I did the following steps:
1. on master: ipa-replica-prepare (s. pki-tomcat_ca_debug.log.ipa-replica-prepare.1.gz) 2. on replica: ipa-replica-install This failed with 'ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR cannot connect to 'ldaps://ipa-01.example.com': TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.'
Then I needed to perform the following steps to get it to work (reproducable each time - both steps are required)
3. on master: ipa-server-upgrade (s. pki-tomcat_ca_debug.log.ipa-server-upgrade.gz) 4. on master: ipa-certupdate (s. pki-tomcat_ca_debug.log.ipa-certupdate.gz)
After this, I retried:
5. on master: ipa-replica-prepare (s. pki-tomcat_ca_debug.log.ipa-replica-prepare.2.gz) 6. on replica: ipa-replica-install (s. pki-tomcat_ca_debug.log.ipa-replica-install.2.gz) This worked, so I tried to install the CA replication 7. on replica: ipa-ca-install (s. pki-tomcat_ca_debug.log.ipa-ca-install.2) This failed again with 'ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.'
There is no /var/log/pki/pki-tomcat/ca/debug created on the replica, but I attached the pki-ca-spawn.20180502135730.log.gz.
Thx for help H.
freeipa-users@lists.fedorahosted.org