Nerdier

Adjective: Comparative form of nerdy: more nerdy.

4 03 2022

ipapython.admintool: ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key[“Failed: [ValueError(‘Decryption failed.’,)]”]

absw | Errors, FreeIPA | 0

Had the error when trying to install a replica off a master:

Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Decryption failed.',)]"]
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

After a lot of looking around I found this script which when ran on the ipa master, regenerated the custodia keys

https://gist.github.com/tiran/eaa8f9a629262226219d0b34a7d403a2

[root@ipa-001 ~]# ./ipa-custodia-regen.py --regenerate
Stopping ipa-custodia
Backing up and removing existing '/etc/ipa/custodia/custodia.conf'
Backing up and removing existing '/etc/ipa/custodia/server.keys'
Running create_instance to regenerate config and keys.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Starting ipa-custodia
Success!
It may take a couple of minutes until public keys are replicated to other LDAP servers.

I could then re-run the ipa replica install (after running –uninstall to clean up the previous attempt, I also had to remove the replica with ipa-replica-manage on the master as it had managed to add a replication agreement before erroring).

After some further troubleshooting I also read that you can just removeĀ /etc/ipa/custodia/server.keys and run ipa-server-upgrade on the master and it should regenerate the keys. However I had already fixed it with the above script.

Leave a Reply

Your email address will not be published. Required fields are marked *