| Summary: | issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.3 | CC: | ekeck, enewland, fjayalat, jcholast, jnansi, ksiddiqu, mbasti, pvoborni, rcritten | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.2.0-16.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
IPA replica install code made wrong assumptions about the install environment.
Consequence:
The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA.
Fix:
Fix IPA replica install code not to assume a recent IPA master with Dogtag CA.
Result:
The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1309382 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-11-04 05:50:31 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | 1301546 | ||||||
| Bug Blocks: | 1287930, 1309382 | ||||||
| Attachments: |
|
||||||
|
Description
Petr Vobornik
2016-01-25 17:11:53 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5598 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5602 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5595 there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup First it does not work * installation of replica fails because of incorrect API initialization #5611 * ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602 Then environment is in bad state which causes: * CA server doesn't work - dogtag is unabled to contact LDAP server #5595 * another replica can't be installed #5598 #5602 is a PKI bug 1035486 sorry, bug 1301546 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5636 Fixed upstream master: * 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master ipa-4-3: * 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master ipa-4-2: https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888 Back to ASSIGNED, there are sill missing features Fixed upstream master: https://fedorahosted.org/freeipa/changeset/465ce82a4d098c4c419913f30a1a028afc7ae445 ipa-4-3: https://fedorahosted.org/freeipa/changeset/15357aea39eb9e496439e4ef711b97616ef7ee9a ipa-4-2: https://fedorahosted.org/freeipa/changeset/c2ade68df88e440cd969bede298f0c1feae59fcc All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST. Bug 1301546 will be fixed in different timeframe. Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4492 Ticket 4492 fixed upstream: master: https://fedorahosted.org/freeipa/changeset/26dee66d1bf05aac5af5f82862ce54585ccde7e4/ ipa-4-2: https://fedorahosted.org/freeipa/changeset/f5fa38399277ab16fa32832f53580651ad4a4026/ Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST. Upstream ticket: https://fedorahosted.org/freeipa/ticket/5506 Ticket 5506 fixed upstream: master: https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/ IPA version: ============ [root@dhcp207-129 ~]# rpm -q ipa-server pki-ca ipa-server-4.4.0-8.el7.x86_64 pki-ca-10.3.3-6.el7.noarch [root@dhcp207-129 ~]# Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8 (1) ipa-ca-install on replica This fails and following bugs are already reported for this https://bugzilla.redhat.com/show_bug.cgi?id=1358752 https://bugzilla.redhat.com/show_bug.cgi?id=1365858 (2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less This is successful (3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted This is successful. (5) ipa-ca-install with external-ca on ca-less master This is failing and following two bugs reported for this https://bugzilla.redhat.com/show_bug.cgi?id=1318616 https://bugzilla.redhat.com/show_bug.cgi?id=1368388 Following additional scenario covers tkt 5506 (6) third replica install fails This is successful too. Please fine the attached console output for successful scenarios Created attachment 1192097 [details]
console output with verification steps
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |