Hi,
I tried to install a CA to the 2nd master a replicafile which was created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.
What could be wrong here? - Please find the detailed debug log of ipa-ca-install as attachment.
Thx & b/r H.
On Mon, Apr 30, 2018 at 03:30:34PM +0200, H. Frenzel via FreeIPA-users wrote:
Hi,
I tried to install a CA to the 2nd master a replicafile which was created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.
What could be wrong here? - Please find the detailed debug log of ipa-ca-install as attachment.
Thx & b/r H.
Hi,
I've seen a couple of reports of this error recently. I do not know what causes it, but based on my preliminary investigation I recommend:
1. Clean up the failed replica via `ipa-server-install --uninstall`. You may need to use `ipa-replica-manage del` or `ipa server-del` as well, to clean up replication agreeements.
2. Restart Dogtag on the master. (But before you do, out of interest, what is Dogtag's uptime?)
3. Attempt replica installation again.
If replica installation fails after the above steps, please provide the /var/log/pki/pki-tomcat/ca/debug logs from both the master and the replica-to-be.
Also, see if regular certificate issuance works on the master. (The other times I saw this error, it was in fact a total failure of the signing operation on the CA master, and nothing to do with replica installation specifically.)
Thanks, Fraser
Am 01.05.2018 09:33, schrieb Fraser Tweedale via FreeIPA-users:
ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.
Clean up the failed replica via `ipa-server-install --uninstall`. You may need to use `ipa-replica-manage del` or `ipa server-del` as well, to clean up replication agreeements.
Restart Dogtag on the master. (But before you do, out of interest, what is Dogtag's uptime?)
Attempt replica installation again.
I did the above few times. The recent dogtag uptime was 7h.
# service pki-tomcatd@pki-tomcat status Redirecting to /bin/systemctl status pki-tomcatd@pki-tomcat.service ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Mi 2018-05-02 06:30:44 CEST; 7h ago Process: 13876 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) Main PID: 14018 (java)
Also, see if regular certificate issuance works on the master. (The other times I saw this error, it was in fact a total failure of the signing operation on the CA master, and nothing to do with replica installation specifically.)
Certificate issuance works as far as I could see. I tried with 'ipa-getcert request -d /tmp/test' and checked with:
# ipa-getcert request -d /tmp/test Request ID '20180502121204': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate DB' certificate: type=NSSDB,location='/tmp/test',nickname='test',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa-01.example.com,O=EXAMPLE.COM expires: 2020-05-02 12:12:05 UTC dns: ipa-01.example.com principal name: host/ipa-01.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
If replica installation fails after the above steps, please provide the /var/log/pki/pki-tomcat/ca/debug logs from both the master and the replica-to-be.
I tried it again to produce the requested logs. I did the following steps:
1. on master: ipa-replica-prepare (s. pki-tomcat_ca_debug.log.ipa-replica-prepare.1) 2. on replica: ipa-replica-install This failed with 'ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR cannot connect to 'ldaps://ipa-01.example.com': TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.'
Then I needed to perform the following steps to get it to work (reproducable each time - both steps are required)
3. on master: ipa-server-upgrade (s. pki-tomcat_ca_debug.log.ipa-server-upgrade.gz) 4. on master: ipa-certupdate (s. pki-tomcat_ca_debug.log.ipa-certupdate.gz)
After this, I retried:
5. on master: ipa-replica-prepare (s. pki-tomcat_ca_debug.log.ipa-replica-prepare.2) 6. on replica: ipa-replica-install (s. pki-tomcat_ca_debug.log.ipa-replica-install.2) This worked, so I tried to install the CA replication 7. on replica: ipa-ca-install (s. pki-tomcat_ca_debug.log.ipa-ca-install.2) This failed again with 'ipa : DEBUG stderr=TokenException: Failed to import EncryptedPrivateKeyInfo to token: (-8152) The key does not support the requested operation.'
There is no /var/log/pki/pki-tomcat/ca/debug created on the replica, but I attached the pki-ca-spawn.20180502135730.log.
Thx for help H.
Hi,
did you have resolved this issue?
freeipa-users@lists.fedorahosted.org
-
Andrey Bondarenko -
Fraser Tweedale -
H. Frenzel