Open flo-renaud opened 1 month ago
Vault operations are failing if the master is installed with @pki/master
Reproducer:
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U --setup-kra
echo Secret123 | kinit admin; ipa vault-add ci_test_vault_master --password password --type symmetric
The command fails with:
# ipa vault-add ci_test_vault_master --password password --type symmetric ipa: ERROR: Unable to archive key: Unable to decrypt passphrase: Cipher context finalization failed: (-8190) security library: received bad data.
The error can be seen in FreeIPA nightly tests, for instance in PR #3720 with the test test_vault: report.html, logs.
test_vault
IPA httd's error log displays:
[Wed Jun 05 12:23:48.147804 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] ipa: ERROR: non-public: HTTPError: 500 Server Error: Internal Server Error for url: https://master.ipa.test:443/kra/rest/agent/keyrequests [Wed Jun 05 12:23:48.147837 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] Traceback (most recent call last): [Wed Jun 05 12:23:48.147840 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] File "/usr/lib/python3.12/site-packages/requests/models.py", line 971, in json [Wed Jun 05 12:23:48.147843 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] return complexjson.loads(self.text, **kwargs) [Wed Jun 05 12:23:48.147845 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Jun 05 12:23:48.147848 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] File "/usr/lib64/python3.12/json/__init__.py", line 346, in loads [Wed Jun 05 12:23:48.147850 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] return _default_decoder.decode(s) [Wed Jun 05 12:23:48.147853 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] ^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Jun 05 12:23:48.147855 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] File "/usr/lib64/python3.12/json/decoder.py", line 337, in decode [Wed Jun 05 12:23:48.147857 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] obj, end = self.raw_decode(s, idx=_w(s, 0).end()) [Wed Jun 05 12:23:48.147859 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Jun 05 12:23:48.147862 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] File "/usr/lib64/python3.12/json/decoder.py", line 355, in raw_decode [Wed Jun 05 12:23:48.147864 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] raise JSONDecodeError("Expecting value", s, err.value) from None [Wed Jun 05 12:23:48.147866 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Version: dogtag-pki-server-11.6.0-0.1.alpha1.20240605033809UTC.92d6b505.fc39.noarch dogtag-jss-5.6.0-0.1.alpha1.20240523101440UTC.0da84f41.fc39.x86_64
@flo-renaud Do you see any error in PKI logs? Or is PKI working fine but returning undecryptable data?
Vault operations are failing if the master is installed with @pki/master
Reproducer:
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U --setup-kra
echo Secret123 | kinit admin; ipa vault-add ci_test_vault_master --password password --type symmetric
The command fails with:
The error can be seen in FreeIPA nightly tests, for instance in PR #3720 with the test
test_vault
: report.html, logs.IPA httd's error log displays:
Version: dogtag-pki-server-11.6.0-0.1.alpha1.20240605033809UTC.92d6b505.fc39.noarch dogtag-jss-5.6.0-0.1.alpha1.20240523101440UTC.0da84f41.fc39.x86_64