#5462 ipa upgrade causes vault internal error
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1282935

Description of problem:
ipa server upgrade from 4.1.0-18 to 4.2.0-15 causes vault internal error

Version-Release number of selected component (if applicable):
ipa-server.x86_64 0:4.1.0-18.el7
ipa-server.x86_64 0:4.2.0-15.el7

How reproducible:
Always

Steps to Reproduce:
1.install 7.1 Master
2.ipa upgrade to newest
3.install kra
4.try vault commands

Actual results:
vault commands prompt out with internal error.

Expected results:
no error occurs

Additional info:

##Master after upgrade##
[root@mgmt7 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

[root@mgmt7 ~]# kinit admin
Password for admin@TESTRELM.TEST:

[root@mgmt7 ~]# ipa vault-add vupgrade --type=symmetric --password='mypa55word'
ipa: ERROR: an internal error has occurred

[root@mgmt7 ~]# echo Secret123|base64
U2VjcmV0MTIzCg==

[root@mgmt7 ~]# ipa vault-archive vupgrade --password='mypa55word'
--data='U2VjcmV0MTIzCg=='
ipa: ERROR: an internal error has occurred

[root@mgmt7 ~]# grep "KRA is not enabled" /var/log/ipaupgrade.log
2015-11-15T20:18:45Z INFO KRA is not enabled

[root@mgmt7 ~]# ipa vault-add vupgrade --type=symmetric --password='mypa55word'
ipa: ERROR: vault with name "vupgrade" already exists

[root@mgmt7 ~]# ipa vault-archive vupgrade --password='mypa55word'
--data='U2VjcmV0MTIzCg=='
ipa: ERROR: an internal error has occurred


From /var/log/httpd/error_log:
.
.
.
[Sun Nov 15 16:27:16.261426 2015] [:error] [pid 20785] ipa: ERROR: non-public:
SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL
routines:SSL_CTX_use_PrivateKey_file:system lib
[Sun Nov 15 16:27:16.261468 2015] [:error] [pid 20785] Traceback (most recent
call last):
[Sun Nov 15 16:27:16.261475 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in
wsgi_execute
[Sun Nov 15 16:27:16.261502 2015] [:error] [pid 20785]     result =
self.Command[name](*args, **options)
[Sun Nov 15 16:27:16.261509 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Sun Nov 15 16:27:16.261515 2015] [:error] [pid 20785]     ret =
self.run(*args, **options)
[Sun Nov 15 16:27:16.261521 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Sun Nov 15 16:27:16.261527 2015] [:error] [pid 20785]     return
self.execute(*args, **options)
[Sun Nov 15 16:27:16.261533 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/vault.py", line 1471, in
execute
[Sun Nov 15 16:27:16.261539 2015] [:error] [pid 20785]     transport_cert =
kra_client.system_certs.get_transport_cert()
[Sun Nov 15 16:27:16.261545 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/pki/__init__.py", line 298, in handler
[Sun Nov 15 16:27:16.261552 2015] [:error] [pid 20785]     return fn_call(inst,
*args, **kwargs)
[Sun Nov 15 16:27:16.261558 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/pki/systemcert.py", line 52, in
get_transport_cert
[Sun Nov 15 16:27:16.261564 2015] [:error] [pid 20785]     response =
self.connection.get(url, self.headers)
[Sun Nov 15 16:27:16.261570 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/pki/client.py", line 115, in get
[Sun Nov 15 16:27:16.261576 2015] [:error] [pid 20785]     data=payload)
[Sun Nov 15 16:27:16.261582 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 319, in get
[Sun Nov 15 16:27:16.261588 2015] [:error] [pid 20785]     return
self.request('GET', url, **kwargs)
[Sun Nov 15 16:27:16.261593 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 288, in request
[Sun Nov 15 16:27:16.261600 2015] [:error] [pid 20785]     resp =
self.send(prep, stream=stream, timeout=timeout, verify=verify, cert=cert,
proxies=proxies)
[Sun Nov 15 16:27:16.261606 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 383, in send
[Sun Nov 15 16:27:16.261612 2015] [:error] [pid 20785]     r =
adapter.send(request, **kwargs)
[Sun Nov 15 16:27:16.261617 2015] [:error] [pid 20785]   File
"/usr/lib/python2.7/site-packages/requests/adapters.py", line 213, in send
[Sun Nov 15 16:27:16.261623 2015] [:error] [pid 20785]     raise SSLError(e)
[Sun Nov 15 16:27:16.261629 2015] [:error] [pid 20785] SSLError: [Errno
336265218] _ssl.c:351: error:140B0002:SSL
routines:SSL_CTX_use_PrivateKey_file:system lib
[Sun Nov 15 16:27:16.261937 2015] [:error] [pid 20785] ipa: INFO:
[jsonserver_session] admin@TESTRELM.TEST: vaultconfig_show(all=False,
raw=False, version=u'2.156'): SSLError

master:

  • 164fb7b install: export KRA agent PEM file in ipa-kra-install

ipa-4-2:

  • 9d4f383 install: export KRA agent PEM file in ipa-kra-install

Metadata Update from @pvoborni:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Login to comment on this ticket.

Metadata