Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1262996
Description of problem: Trying to run vault-retrieve on an IPA Replica without KRA installed is resulting in an internal error. If I install KRA, it then works. # ON MASTER with KRA installed: [root@master ~]# ipa vault-add vupgrade1 --type symmetric --password=Pa55w0rd1 ----------------------- Added vault "vupgrade1" ----------------------- Vault name: vupgrade1 Type: symmetric Salt: z+NweI/Kodi1t4SgNY9v3Q== Owner users: admin Vault user: admin [root@master ~]# SECRET="$(echo Secret123|base64)" [root@master ~]# ipa vault-archive vupgrade1 --password='Pa55w0rd1' --data="$SECRET" ------------------------------------ Archived data into vault "vupgrade1" ------------------------------------ # ON REPLICA: [root@replica ~]# kinit admin Password for admin@TESTRELM.TEST: [root@replica ~]# ipa vault-retrieve vupgrade1 --password='Pa55w0rd1' --out=/tmp/vault.out ipa: ERROR: an internal error has occurred Version-Release number of selected component (if applicable): ipa-server-4.2.0-9.el7.x86_64 How reproducible: always. Steps to Reproduce: 1. Install IPA Master with KRA ipa-server-install ipa-kra-install 2. Install IPA Replica without KRA ipa-replica-prepare # on master ipa-replica-install 3. Create Vault with data on Master ipa vault-add vupgrade1 --type symmetric --password=Pa55w0rd1 SECRET="$(echo Secret123|base64)" ipa vault-archive vupgrade1 --password='Pa55w0rd1' --data="$SECRET" 4. Retrieve data from vault on Replica ipa vault-retrieve vupgrade1 --password='Pa55w0rd1' --out=/tmp/vault.out Actual results: [root@replica ~]# ipa vault-retrieve vupgrade1 --password='Pa55w0rd1' --out=/tmp/vault.out ipa: ERROR: an internal error has occurred Expected results: No error. Should see output written to file. Additional info: Installing KRA on Replica fixes this issue. But, should not be necessary from what I understand. httpd/error_log: [Mon Sep 14 15:25:57.806201 2015] [:error] [pid 5381] ipa: ERROR: non-public: IOError: [Errno 2] No such file or directory [Mon Sep 14 15:25:57.806215 2015] [:error] [pid 5381] Traceback (most recent call last): [Mon Sep 14 15:25:57.806217 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Mon Sep 14 15:25:57.806219 2015] [:error] [pid 5381] result = self.Command[name](*args, **options) [Mon Sep 14 15:25:57.806220 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ [Mon Sep 14 15:25:57.806221 2015] [:error] [pid 5381] ret = self.run(*args, **options) [Mon Sep 14 15:25:57.806223 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run [Mon Sep 14 15:25:57.806224 2015] [:error] [pid 5381] return self.execute(*args, **options) [Mon Sep 14 15:25:57.806225 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 1170, in execute [Mon Sep 14 15:25:57.806227 2015] [:error] [pid 5381] transport_cert = kra_client.system_certs.get_transport_cert() [Mon Sep 14 15:25:57.806228 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 298, in handler [Mon Sep 14 15:25:57.806230 2015] [:error] [pid 5381] return fn_call(inst, *args, **kwargs) [Mon Sep 14 15:25:57.806231 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/pki/systemcert.py", line 52, in get_transport_cert [Mon Sep 14 15:25:57.806232 2015] [:error] [pid 5381] response = self.connection.get(url, self.headers) [Mon Sep 14 15:25:57.806234 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/pki/client.py", line 115, in get [Mon Sep 14 15:25:57.806235 2015] [:error] [pid 5381] data=payload) [Mon Sep 14 15:25:57.806236 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 476, in get [Mon Sep 14 15:25:57.806238 2015] [:error] [pid 5381] return self.request('GET', url, **kwargs) [Mon Sep 14 15:25:57.806239 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request [Mon Sep 14 15:25:57.806240 2015] [:error] [pid 5381] resp = self.send(prep, **send_kwargs) [Mon Sep 14 15:25:57.806242 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send [Mon Sep 14 15:25:57.806243 2015] [:error] [pid 5381] r = adapter.send(request, **kwargs) [Mon Sep 14 15:25:57.806244 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send [Mon Sep 14 15:25:57.806246 2015] [:error] [pid 5381] timeout=timeout [Mon Sep 14 15:25:57.806247 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 544, in urlopen [Mon Sep 14 15:25:57.806248 2015] [:error] [pid 5381] body=body, headers=headers) [Mon Sep 14 15:25:57.806249 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 341, in _make_request [Mon Sep 14 15:25:57.806251 2015] [:error] [pid 5381] self._validate_conn(conn) [Mon Sep 14 15:25:57.806253 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 762, in _validate_conn [Mon Sep 14 15:25:57.806254 2015] [:error] [pid 5381] conn.connect() [Mon Sep 14 15:25:57.806255 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 238, in connect [Mon Sep 14 15:25:57.806257 2015] [:error] [pid 5381] ssl_version=resolved_ssl_version) [Mon Sep 14 15:25:57.806258 2015] [:error] [pid 5381] File "/usr/lib/python2.7/site-packages/urllib3/util/ssl_.py", line 254, in ssl_wrap_socket [Mon Sep 14 15:25:57.806259 2015] [:error] [pid 5381] context.load_cert_chain(certfile, keyfile) [Mon Sep 14 15:25:57.806261 2015] [:error] [pid 5381] IOError: [Errno 2] No such file or directory [Mon Sep 14 15:25:57.806472 2015] [:error] [pid 5381] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: vaultconfig_show(all=False, raw=False, version=u'2.155'): IOError
master:
ipa-4-2:
Metadata Update from @spoore: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.2
Login to comment on this ticket.