FreeIPA KRA install fails on Rocky 9 replica (from rocky 8 cluster)

Not sure if this is the correct fora to ask in

I have a freeipa setup on rocky 8 and is trying to upgrade to rocky9 by adding a replica to the cluster. the base packages seems to work fine but when I try to install KRA on the new host it fails. It works fine on rocky 8 btw

do anyone have an idea how I can fix this ?

ipa-kra-install log:

FINE: Response:
{
“Response” : {
“Status” : “1”,
“Error” : “Unable to add KRA connector for httpx://ipa05.dev.ngc.dk:8443: KRA connector already exists”
}
}
FINE: CAClient: Response: {
“Response” : {
“Status” : “1”,
“Error” : “Unable to add KRA connector for httpx://ipa05.dev.ngc.dk:8443: KRA connector already exists”
}
}
FINE: CAClient: status: 1
java.lang.NullPointerException: Cannot invoke “com.fasterxml.jackson.databind.JsonNode.asText()” because the return value of “com.fasterxml.jackson.databind.JsonNode.get(String)” is null
at com.netscape.certsrv.ca.CAClient.addKRAConnector(CAClient.java:129)
at com.netscape.cmstools.system.KRAConnectorAddCLI.execute(KRAConnectorAddCLI.java:220)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
ERROR: CalledProcessError: Command ‘[‘pki’, ‘-d’, ‘/etc/pki/pki-tomcat/alias’, ‘-f’, ‘/etc/pki/pki-tomcat/password.conf’, ‘-U’, ‘httpx://ipa05.dev.ngc.dk:443’, ‘–ignore-banner’, ‘ca-kraconnector-add’, ‘–url’, ‘httpx://ipa05.dev.ngc.dk:8443/kra/agent/kra/connector’, ‘–subsystem-cert’, ‘/tmp/tmpf65kp8xr/subsystem.crt’, ‘–transport-cert’, ‘/tmp/tmpf65kp8xr/transport.crt’, ‘–transport-nickname’, ‘transportCert cert-pki-kra’, ‘–install-token’, ‘/tmp/tmpf65kp8xr/install-token’, ‘–debug’]’ returned non-zero exit status 255.
File “/usr/lib/python3.9/site-packages/pki/server/pkispawn.py”, line 568, in main
deployer.spawn()
File “/usr/lib/python3.9/site-packages/pki/server/deployment/init.py”, line 4985, in spawn
scriptlet.spawn(self)
File “/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py”, line 197, in spawn
deployer.finalize_subsystem(subsystem)
File “/usr/lib/python3.9/site-packages/pki/server/deployment/init.py”, line 4772, in finalize_subsystem
self.finalize_kra(subsystem)
File “/usr/lib/python3.9/site-packages/pki/server/deployment/init.py”, line 4654, in finalize_kra
self.add_kra_connector(subsystem, ca_url)
File “/usr/lib/python3.9/site-packages/pki/server/deployment/init.py”, line 4207, in add_kra_connector
subprocess.check_call(cmd)
File “/usr/lib64/python3.9/subprocess.py”, line 373, in check_call
raise CalledProcessError(retcode, cmd)

2025-04-15T10:38:49Z CRITICAL Failed to configure KRA instance

Welcome to the forums!

This is an interesting issue and sounds like a bug I had seen in other deployments and other IPA versions. What I’m thinking is the issue here is that there is a mismatch between the NSS DB and configuration file for pki-tomcat. Here’s what I’d try to do:

On the CA/KRA server (Rocky Linux 8):

• Ensure you have taken a backup of the system and/or have ran ipa-backup.
• Take a backup of /etc/pki/pki-tomcat/ca/CS.cfg
• Run certutil -L -d /etc/pki/pki-tomcat/alias -n 'transportCert cert-pki-kra' -a | grep -v ' CERTIFICATE' | tr -d '\n\r'
  • This should make the certificate a single line.
• Edit /etc/pki/pki-tomcat/ca/CS.cfg and find the line ca.connector.KRA.transportCert and replace the value with the above output.
• systemctl restart pki-tomcatd@pki-tomcat to restart CA/KRA
• Remove the broken replica with ipa server-del ipa05.dev.ngc.dk
• On the broken replica, ipa-server-install --uninstall -U

After that, you can try to re-run the ipa-replica-install with --setup-kra or run ipa-replica-install and then ipa-kra-install afterwards.

That was it
Thanks you very much