search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
349 stars 133 forks source link

ipa vault-add fails with "Unable to archive key" (@pki/master) #4774

Open flo-renaud opened 1 month ago

flo-renaud commented 1 month ago

Vault operations are failing if the master is installed with @pki/master

Reproducer:

  1. Enable @pki/master and @freeipa/freeipa-master-nightly
  2. upgrade all packages with --enablerepo=updates-testing
  3. install ipa server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U --setup-kra
  4. Add a vault with echo Secret123 | kinit admin; ipa vault-add ci_test_vault_master --password password --type symmetric

The command fails with:

# ipa vault-add ci_test_vault_master --password password --type symmetric
ipa: ERROR: Unable to archive key: Unable to decrypt passphrase: Cipher context finalization failed: (-8190) security library: received bad data.

The error can be seen in FreeIPA nightly tests, for instance in PR #3720 with the test test_vault: report.html, logs.

IPA httd's error log displays:

[Wed Jun 05 12:23:48.147804 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] ipa: ERROR: non-public: HTTPError: 500 Server Error: Internal Server Error for url: https://master.ipa.test:443/kra/rest/agent/keyrequests
[Wed Jun 05 12:23:48.147837 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] Traceback (most recent call last):
[Wed Jun 05 12:23:48.147840 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]   File "/usr/lib/python3.12/site-packages/requests/models.py", line 971, in json
[Wed Jun 05 12:23:48.147843 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]     return complexjson.loads(self.text, **kwargs)
[Wed Jun 05 12:23:48.147845 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Jun 05 12:23:48.147848 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]   File "/usr/lib64/python3.12/json/__init__.py", line 346, in loads
[Wed Jun 05 12:23:48.147850 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]     return _default_decoder.decode(s)
[Wed Jun 05 12:23:48.147853 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]            ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Jun 05 12:23:48.147855 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]   File "/usr/lib64/python3.12/json/decoder.py", line 337, in decode
[Wed Jun 05 12:23:48.147857 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]     obj, end = self.raw_decode(s, idx=_w(s, 0).end())
[Wed Jun 05 12:23:48.147859 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Jun 05 12:23:48.147862 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]   File "/usr/lib64/python3.12/json/decoder.py", line 355, in raw_decode
[Wed Jun 05 12:23:48.147864 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490]     raise JSONDecodeError("Expecting value", s, err.value) from None
[Wed Jun 05 12:23:48.147866 2024] [wsgi:error] [pid 26206:tid 26633] [remote 192.168.121.221:59490] json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Version: dogtag-pki-server-11.6.0-0.1.alpha1.20240605033809UTC.92d6b505.fc39.noarch dogtag-jss-5.6.0-0.1.alpha1.20240523101440UTC.0da84f41.fc39.x86_64

edewata commented 1 month ago

@flo-renaud Do you see any error in PKI logs? Or is PKI working fine but returning undecryptable data?