freeipa

Clone
Source Code
GIT

#5302 ipa vault internal error on replica without KRA
Closed: Fixed None Opened 8 years ago by spoore.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1262996

Description of problem:

Trying to run vault-retrieve on an IPA Replica without KRA installed is
resulting in an internal error.  If I install KRA, it then works.

# ON MASTER with KRA installed:

[root@master ~]# ipa vault-add vupgrade1 --type symmetric --password=Pa55w0rd1
-----------------------
Added vault "vupgrade1"
-----------------------
  Vault name: vupgrade1
  Type: symmetric
  Salt: z+NweI/Kodi1t4SgNY9v3Q==
  Owner users: admin
  Vault user: admin
[root@master ~]# SECRET="$(echo Secret123|base64)"

[root@master ~]# ipa vault-archive vupgrade1 --password='Pa55w0rd1'
--data="$SECRET"
------------------------------------
Archived data into vault "vupgrade1"
------------------------------------

# ON REPLICA:

[root@replica ~]# kinit admin
Password for admin@TESTRELM.TEST:
[root@replica ~]# ipa vault-retrieve vupgrade1 --password='Pa55w0rd1'
--out=/tmp/vault.out
ipa: ERROR: an internal error has occurred

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-9.el7.x86_64

How reproducible:
always.

Steps to Reproduce:
1.  Install IPA Master with KRA

ipa-server-install
ipa-kra-install

2.  Install IPA Replica without KRA

ipa-replica-prepare # on master
ipa-replica-install

3.  Create Vault with data on Master

ipa vault-add vupgrade1 --type symmetric --password=Pa55w0rd1
SECRET="$(echo Secret123|base64)"
ipa vault-archive vupgrade1 --password='Pa55w0rd1' --data="$SECRET"


4.  Retrieve data from vault on Replica

ipa vault-retrieve vupgrade1 --password='Pa55w0rd1' --out=/tmp/vault.out

Actual results:

[root@replica ~]# ipa vault-retrieve vupgrade1 --password='Pa55w0rd1'
--out=/tmp/vault.out
ipa: ERROR: an internal error has occurred

Expected results:

No error.  Should see output written to file.

Additional info:

Installing KRA on Replica fixes this issue.  But, should not be necessary from
what I understand.

httpd/error_log:

[Mon Sep 14 15:25:57.806201 2015] [:error] [pid 5381] ipa: ERROR: non-public:
IOError: [Errno 2] No such file or directory
[Mon Sep 14 15:25:57.806215 2015] [:error] [pid 5381] Traceback (most recent
call last):
[Mon Sep 14 15:25:57.806217 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in
wsgi_execute
[Mon Sep 14 15:25:57.806219 2015] [:error] [pid 5381]     result =
self.Command[name](*args, **options)
[Mon Sep 14 15:25:57.806220 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Mon Sep 14 15:25:57.806221 2015] [:error] [pid 5381]     ret = self.run(*args,
**options)
[Mon Sep 14 15:25:57.806223 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Mon Sep 14 15:25:57.806224 2015] [:error] [pid 5381]     return
self.execute(*args, **options)
[Mon Sep 14 15:25:57.806225 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 1170, in
execute
[Mon Sep 14 15:25:57.806227 2015] [:error] [pid 5381]     transport_cert =
kra_client.system_certs.get_transport_cert()
[Mon Sep 14 15:25:57.806228 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/pki/__init__.py", line 298, in handler
[Mon Sep 14 15:25:57.806230 2015] [:error] [pid 5381]     return fn_call(inst,
*args, **kwargs)
[Mon Sep 14 15:25:57.806231 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/pki/systemcert.py", line 52, in
get_transport_cert
[Mon Sep 14 15:25:57.806232 2015] [:error] [pid 5381]     response =
self.connection.get(url, self.headers)
[Mon Sep 14 15:25:57.806234 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/pki/client.py", line 115, in get
[Mon Sep 14 15:25:57.806235 2015] [:error] [pid 5381]     data=payload)
[Mon Sep 14 15:25:57.806236 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 476, in get
[Mon Sep 14 15:25:57.806238 2015] [:error] [pid 5381]     return
self.request('GET', url, **kwargs)
[Mon Sep 14 15:25:57.806239 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
[Mon Sep 14 15:25:57.806240 2015] [:error] [pid 5381]     resp =
self.send(prep, **send_kwargs)
[Mon Sep 14 15:25:57.806242 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
[Mon Sep 14 15:25:57.806243 2015] [:error] [pid 5381]     r =
adapter.send(request, **kwargs)
[Mon Sep 14 15:25:57.806244 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
[Mon Sep 14 15:25:57.806246 2015] [:error] [pid 5381]     timeout=timeout
[Mon Sep 14 15:25:57.806247 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 544, in
urlopen
[Mon Sep 14 15:25:57.806248 2015] [:error] [pid 5381]     body=body,
headers=headers)
[Mon Sep 14 15:25:57.806249 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 341, in
_make_request
[Mon Sep 14 15:25:57.806251 2015] [:error] [pid 5381]
self._validate_conn(conn)
[Mon Sep 14 15:25:57.806253 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 762, in
_validate_conn
[Mon Sep 14 15:25:57.806254 2015] [:error] [pid 5381]     conn.connect()
[Mon Sep 14 15:25:57.806255 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/urllib3/connection.py", line 238, in connect
[Mon Sep 14 15:25:57.806257 2015] [:error] [pid 5381]
ssl_version=resolved_ssl_version)
[Mon Sep 14 15:25:57.806258 2015] [:error] [pid 5381]   File
"/usr/lib/python2.7/site-packages/urllib3/util/ssl_.py", line 254, in
ssl_wrap_socket
[Mon Sep 14 15:25:57.806259 2015] [:error] [pid 5381]
context.load_cert_chain(certfile, keyfile)
[Mon Sep 14 15:25:57.806261 2015] [:error] [pid 5381] IOError: [Errno 2] No
such file or directory
[Mon Sep 14 15:25:57.806472 2015] [:error] [pid 5381] ipa: INFO:
[jsonserver_kerb] admin@TESTRELM.TEST: vaultconfig_show(all=False, raw=False,
version=u'2.155'): IOError

master:

  • b035a2a install: always export KRA agent PEM file
  • 4b381b1 vault: select a server with KRA for vault operations

ipa-4-2:

  • 1002052 install: always export KRA agent PEM file
  • 0cfa434 vault: select a server with KRA for vault operations

Metadata Update from @spoore:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
KRA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1262996
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.