Bug 1083878

+++ This bug was initially created as a clone of Bug #1080865 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4265

This ticket is being filed to address the changes that are a part of the following Dogtag ticket:
* [https://fedorahosted.org/pki/ticket/816 pki-tomcat cannot be started after installation of ipa replica with ca]

Basically, the Dogtag change requires the Dogtag Clone's SSL Server certificate (located on the IPA Replica) to be issued by its associated Dogtag Master (located on the IPA Master).

Basically, the following change needs to take place in the IPA Master's '/etc/httdp/conf.d/ipa-pki-proxy.cfg' file.  Change:

  # matches for ee port
  <LocationMatch "^^/ca/ee/ca/checkRequest|^^/ca/ee/ca/getCertChain|^^/ca/ee/ca/getTo
  kenInfo|^^/ca/ee/ca/tokenAuthenticate|^^/ca/ocsp|^^/ca/ee/ca/updateNumberRange|^^/ca
  /ee/ca/getCRL">
      NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
      NSSVerifyClient none
      ProxyPassMatch ajp://localhost:8009
      ProxyPassReverse ajp://localhost:8009
  </LocationMatch>

to:

  # matches for ee port
  <LocationMatch "^^/ca/ee/ca/checkRequest|^^/ca/ee/ca/getCertChain|^^/ca/ee/ca/getTo
  kenInfo|^^/ca/ee/ca/tokenAuthenticate|^^/ca/ocsp|^^/ca/ee/ca/updateNumberRange|^^/ca
  /ee/ca/getCRL'''|^^/ca/ee/ca/profileSubmit'''">
      NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
      NSSVerifyClient none
      ProxyPassMatch ajp://localhost:8009
      ProxyPassReverse ajp://localhost:8009
  </LocationMatch>

--- Additional comment from Martin Kosek on 2014-03-26 05:16:55 EDT ---

Fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/6ecc4600e9370a637916360396f18699e4b7f59b/
ipa-3-3: https://fedorahosted.org/freeipa/changeset/8e8a020f8d2476cca321349fa24db4bee95270d8/

--- Additional comment from Martin Kosek on 2014-03-26 09:51:10 EDT ---

QE instructions - we can verify as SanityOnly and just make sure that replica installation with CA (--setup-ca/ipa-ca-install) still works.

You can also verify the change by making sure that the missing URI is in the IPA PKI proxy configuration:

# grep /ca/ee/ca/profileSubmit /etc/httpd/conf.d/ipa-pki-proxy.conf

--- Additional comment from Namita Soman on 2014-03-26 12:14:37 EDT ---

using ipa-server-3.3.3-25.el7.x86_64
# grep /ca/ee/ca/profileSubmit /etc/httpd/conf.d/ipa-pki-proxy.conf

# grep profileSubmit /etc/httpd/conf.d/ipa-pki-proxy.conf
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">


verified update with ipa-server-3.3.3-27.el7.x86_64
# grep /ca/ee/ca/profileSubmit /etc/httpd/conf.d/ipa-pki-proxy.conf
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">

And ran installs using ipa-server-3.3.3-27.el7.x86_64:
automated test output for replica installation with CA:
:: [   PASS   ] :: Running ' /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=x.x.x.x -w <password> -p <password> /opt/rhqa_ipa/replica-info-cloud-qe-18.testrelm.test.gpg' (Expected 0, got 0)


automated tests passed for ipa-ca-install
:: [   PASS   ]   Installing CA Replica with --no-host-dns option
:: [   PASS   ]   Installing CA Replica without --no-host-dns option
:: [   PASS   ]   Installing CA Replica with --skip-schema-check option

--- Additional comment from Martin Kosek on 2014-04-03 03:06:46 EDT ---

This change will be also required in RHEL-6.6 so that PKI replicas can be spawned. Until this is fixed in RHEL-6.x, manual change to ipa-pki-proxy.conf + restart of httpd is needed.

I will clone this bug.