Bug 1257518
Summary: | Running ipa-server-install produces 400 Bad Request in dogtag's access log | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.2 | CC: | arubin, ftweedal, jpazdziora, ksiddiqu, mharmsen, nkinder, pvoborni, rcritten, rpattath |
Target Milestone: | rc | ||
Target Release: | 7.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.3.1-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:19:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pazdziora
2015-08-27 09:06:32 UTC
IIUC it tries to add a certificate profile which is already there. Fraser, is it expected behavior? This is expected behaviour. The installation procedure attempts to add predefined profiles. In the case of the "caIPAserviceCert" profile, this is already defined by Dogtag. The IPA code first attempts to add the profile (which fails in this case) and if it already exists, it updates it instead. There was a related bug for IPA to own its own profiles, rather than Dogtag: https://bugzilla.redhat.com/show_bug.cgi?id=916289 In a future release we can remove caIPAserviceCert from Dogtag at which point this error will no longer occur. Arguably the status code should be 409 Conflict but if so that ticket should be raised against pki. Moving to pki to evaluate the change of status code as mentioned in comment 3. Otherwise I would close as not a bug. (In reply to Fraser Tweedale from comment #3) > This is expected behaviour. > > The installation procedure attempts to add > predefined profiles. In the case of the "caIPAserviceCert" > profile, this is already defined by Dogtag. The IPA code > first attempts to add the profile (which fails in this case) > and if it already exists, it updates it instead. Why doesn't IPA installer code check if the profile exists, before attempting to create it? Upstream ticket: https://fedorahosted.org/pki/ticket/1728 ftweedal fixed in master: * 27a38daf9840e4fd9bc031daf25024806d05e943 [root@nightcrawler ~]# rpm -qi pki-ca Name : pki-ca Version : 10.3.3 Release : 8.el7 Architecture: noarch Install Date: Wed 31 Aug 2016 03:15:38 PM EDT Group : System Environment/Daemons Size : 2430595 License : GPLv2 Signature : (none) Source RPM : pki-core-10.3.3-8.el7.src.rpm Build Date : Tue 30 Aug 2016 03:23:27 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority ipa-server-install /var/log/pki/pki-tomcat/localhost_access_log.2016-09-02.txt has the following (no error message for the caIPAserviceCert profile) 10.16.96.83 - ipara [02/Sep/2016:12:55:33 -0400] "POST /ca/rest/profiles/caIPAserviceCert?action=disable HTTP/1.1" 204 - 10.16.96.83 - ipara [02/Sep/2016:12:55:33 -0400] "PUT /ca/rest/profiles/caIPAserviceCert/raw HTTP/1.1" 200 7053 10.16.96.83 - ipara [02/Sep/2016:12:55:33 -0400] "POST /ca/rest/profiles/caIPAserviceCert?action=enable HTTP/1.1" 204 - 10.16.96.83 - ipara [02/Sep/2016:12:55:33 -0400] "GET /ca/rest/account/logout HTTP/1.1" 204 - 10.16.96.83 - ipara [02/Sep/2016:12:55:34 -0400] "GET /ca/rest/account/login HTTP/1.1" 200 205 10.16.96.83 - ipara [02/Sep/2016:12:55:34 -0400] "GET /ca/rest/authorities/host-authority HTTP/1.1" 200 310 10.16.96.83 - ipara [02/Sep/2016:12:55:34 -0400] "GET /ca/rest/account/logout HTTP/1.1" 204 - /var/log/ipaserver-install.log has the following 2016-09-02T16:55:33Z DEBUG response headers {'transfer-encoding': 'chunked', 'date': 'Fri, 02 Sep 2016 16:55:32 GMT', 'content-type': 'application/json', 'server': 'Apache-Coyote/1.1'} 2016-09-02T16:55:33Z DEBUG response body '{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.ConflictingOperationException","Code":409,"Message":"Profile already exists"}' 2016-09-02T16:55:33Z DEBUG Error migrating 'caIPAserviceCert': Non-2xx response from CA REST API: 409. Profile already exists Fraser, Please confirm if the above are the expected log messages. Roshni, this is the expected behaviour. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |