Bug 1309382
Summary: | issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> | ||||||||||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||||||||||
Severity: | urgent | Docs Contact: | |||||||||||||
Priority: | urgent | ||||||||||||||
Version: | 7.3 | CC: | akasurde, ekeck, enewland, ipa-maint, jcholast, jnansi, ksiddiqu, mbasti, pvoborni, rcritten | ||||||||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | ipa-4.2.0-15.el7_2.12 | Doc Type: | Bug Fix | ||||||||||||
Doc Text: |
The ipa-replica-install and ipa-ca-install utilities failed when installing a replica of a Red Hat Enterprise Linux 6 master with a self-signed CA certificate. This updates fixes the bug. Note that after running ipa-ca-install, you must run the ipa-certupdate utility.
Also, it is not possible to install a replica with a CA certificate against a master that uses a third-party certificate for the httpd service. To work around this problem, issue a temporary IdM certificate for httpd on the master before installing the replica:
# certutil -d /etc/httpd/alias -L -n [NICKNAME] -r >backup.crt.der
# ipa service-mod HTTP/[HOSTNAME] --certificate=
# ipa-getcert start-tracking -d /etc/httpd/alias -n [NICKNAME]
-p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
# ipa-getcert resubmit -d /etc/httpd/alias -n [NICKNAME] -K HTTP/[HOSTNAME]
After installing the replica, revert to the original certificate:
# ipa-getcert stop-tracking -d /etc/httpd/alias -n [NICKNAME]
# certutil -d /etc/httpd/alias -D -n [NICKNAME]
# certutil -d /etc/httpd/alias -A -n [NICKNAME] -t ,, -i backup.crt.der
# systemctl restart httpd
|
Story Points: | --- | ||||||||||||
Clone Of: | 1301687 | Environment: | |||||||||||||
Last Closed: | 2016-05-12 09:58:28 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | 1301687 | ||||||||||||||
Bug Blocks: | |||||||||||||||
Attachments: |
|
Description
Jan Kurik
2016-02-17 16:15:48 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4492 Jan, please provide impact of missing fix for Bug 1301546 and what are the possible workarounds The impact is that installing a replica with a CA is not possible against a master which uses a 3rd party cert for httpd. The workaround is to issue a (temporary) IPA cert for httpd on the master before installing the replica: # certutil -d /etc/httpd/alias -L -n $NICKNAME -r >backup.crt.der # ipa service-mod HTTP/$HOSTNAME --certificate= # ipa-getcert start-tracking -d /etc/httpd/alias -n $NICKNAME -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd # ipa-getcert resubmit -d /etc/httpd/alias -n $NICKNAME -K HTTP/$HOSTNAME After installing the replica, you can revert to the original cert: # ipa-getcert stop-tracking -d /etc/httpd/alias -n $NICKNAME # certutil -d /etc/httpd/alias -D -n $NICKNAME # certutil -d /etc/httpd/alias -A -n $NICKNAME -t ,, -i backup.crt.der # systemctl restart httpd Verified using IPA server version :: ipa-server-4.2.0-15.el7_2.10.x86_64 Please find the console.log for each ticket in attachments. For https://fedorahosted.org/freeipa/ticket/5636 ticket, there is another bug reported - BZ1318616 Created attachment 1137376 [details]
tkt_4492.log
Created attachment 1137377 [details]
tkt_5595.log
Created attachment 1137379 [details]
tkt_5598.log
Created attachment 1137381 [details]
tkt_5611.log
The workaround for bug 1318616 is to run ipa-certupdate right after ipa-ca-install. To make the workaround actually work, the fix for IPA ticket 5506 needs to be included as well. Moving back to POST. Upstream ticket: https://fedorahosted.org/freeipa/ticket/5506 Verified using IPA version with workaround suggested in comment#14 ipa-server-4.2.0-15.el7_2.12.x86_64 See attachment for console.log. Created attachment 1137687 [details]
tkt_5636.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1036.html |