Bug 1309382

Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Product: Red Hat Enterprise Linux 7 Reporter: Jan Kurik <jkurik>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: akasurde, ekeck, enewland, ipa-maint, jcholast, jnansi, ksiddiqu, mbasti, pvoborni, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-15.el7_2.12 Doc Type: Bug Fix
Doc Text:
The ipa-replica-install and ipa-ca-install utilities failed when installing a replica of a Red Hat Enterprise Linux 6 master with a self-signed CA certificate. This updates fixes the bug. Note that after running ipa-ca-install, you must run the ipa-certupdate utility. Also, it is not possible to install a replica with a CA certificate against a master that uses a third-party certificate for the httpd service. To work around this problem, issue a temporary IdM certificate for httpd on the master before installing the replica: # certutil -d /etc/httpd/alias -L -n [NICKNAME] -r >backup.crt.der # ipa service-mod HTTP/[HOSTNAME] --certificate= # ipa-getcert start-tracking -d /etc/httpd/alias -n [NICKNAME] -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd # ipa-getcert resubmit -d /etc/httpd/alias -n [NICKNAME] -K HTTP/[HOSTNAME] After installing the replica, revert to the original certificate: # ipa-getcert stop-tracking -d /etc/httpd/alias -n [NICKNAME] # certutil -d /etc/httpd/alias -D -n [NICKNAME] # certutil -d /etc/httpd/alias -A -n [NICKNAME] -t ,, -i backup.crt.der # systemctl restart httpd
 Story Points: ---
Clone Of: 1301687 Environment:
Last Closed: 2016-05-12 09:58:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1301687    
Bug Blocks:    
Attachments:
Description Flags
tkt_4492.log
none
tkt_5595.log
none
tkt_5598.log
none
tkt_5611.log
none
tkt_5636.log none

Description Jan Kurik 2016-02-17 16:15:48 UTC 
This bug has been copied from bug #1301687 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 3 Jan Cholasta 2016-02-23 14:22:40 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492
Comment 5 Petr Vobornik 2016-02-24 16:26:56 UTC 
Jan, please provide impact of missing fix for Bug 1301546 and what are the possible workarounds
Comment 6 Jan Cholasta 2016-02-25 08:46:25 UTC 
The impact is that installing a replica with a CA is not possible against a master which uses a 3rd party cert for httpd.

The workaround is to issue a (temporary) IPA cert for httpd on the master before installing the replica:

# certutil -d /etc/httpd/alias -L -n $NICKNAME -r >backup.crt.der
# ipa service-mod HTTP/$HOSTNAME --certificate=
# ipa-getcert start-tracking -d /etc/httpd/alias -n $NICKNAME -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
# ipa-getcert resubmit -d /etc/httpd/alias -n $NICKNAME -K HTTP/$HOSTNAME

After installing the replica, you can revert to the original cert:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n $NICKNAME
# certutil -d /etc/httpd/alias -D -n $NICKNAME
# certutil -d /etc/httpd/alias -A -n $NICKNAME -t ,, -i backup.crt.der
# systemctl restart httpd
Comment 9 Abhijeet Kasurde 2016-03-17 12:26:13 UTC 
Verified using IPA server version ::

ipa-server-4.2.0-15.el7_2.10.x86_64

Please find the console.log for each ticket in attachments.

For https://fedorahosted.org/freeipa/ticket/5636 ticket, there is another bug reported - BZ1318616
Comment 10 Abhijeet Kasurde 2016-03-17 12:26:56 UTC 
Created attachment 1137376 [details]
tkt_4492.log
Comment 11 Abhijeet Kasurde 2016-03-17 12:27:20 UTC 
Created attachment 1137377 [details]
tkt_5595.log
Comment 12 Abhijeet Kasurde 2016-03-17 12:27:45 UTC 
Created attachment 1137379 [details]
tkt_5598.log
Comment 13 Abhijeet Kasurde 2016-03-17 12:28:08 UTC 
Created attachment 1137381 [details]
tkt_5611.log
Comment 14 Jan Cholasta 2016-03-17 13:04:36 UTC 
The workaround for bug 1318616 is to run ipa-certupdate right after ipa-ca-install.

To make the workaround actually work, the fix for IPA ticket 5506 needs to be included as well. Moving back to POST.
Comment 15 Jan Cholasta 2016-03-17 13:06:24 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506
Comment 17 Abhijeet Kasurde 2016-03-18 06:36:00 UTC 
Verified using IPA version with workaround suggested in comment#14
ipa-server-4.2.0-15.el7_2.12.x86_64

See attachment for console.log.
Comment 18 Abhijeet Kasurde 2016-03-18 06:36:41 UTC 
Created attachment 1137687 [details]
tkt_5636.log
Comment 20 errata-xmlrpc 2016-05-12 09:58:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1036.html