Bug 1327092
Summary: | URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||
Component: | ipa | Assignee: | Fraser Tweedale <ftweedal> | ||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.2 | CC: | cheimes, ekeck, ftweedal, jcholast, mkolaja, mkosek, ndehadra, pvoborni, rcritten | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.3.1-0.201605191449GITf8edf37.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1337820 (view as bug list) | Environment: | |||||
Last Closed: | 2016-11-04 05:53:08 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1337820 | ||||||
Attachments: |
|
Description
Nikhil Dehadrai
2016-04-14 09:33:51 UTC
Btw, this does not happen upstream with ipa 4.3 and pki-ca-10.2.6-15.fc23 Fraser, could it be related to bug 1284803 or bug 1311468? I would say that it isn't. Also we didn't to any CRL or OCSP related configuration in IPA in u2. To me it looks like a bug in PKI. What do you think? what are the pki-ca versions? Please find the pki-ca version details below: 1. RHEL 7.2.2 = pki-ca-10.2.5-6.el7.noarch 2. RHEL 7.2.1 = pki-ca-10.2.5-6.el7.noarch 3. RHEL 7.2GA = pki-ca-10.2.5-6.el7.noarch Petr, I agree it is not unlikely to be related to those bugs. There was an issue reported in freeipa-users recently with same or similar symptoms - the caIPAserverCert profile shipped with Dogtag somehow ended up in LDAP instead of the version shipped with FreeIPA. I need to investigate further. Was there any result for the investigation? I'm unable to reproduce; more information about how the IPA server gets to this point is needed, e.g.: - is it a clone or migration from another master? - is it an upgrade from an earlier release? - please attach IPA install logs (and IPA upgrade log, if applicable) Thanks! Nikhil, do you have an estimate in what percentage of test runs this failure happen? Hi Petr, I have noticed this behavior in my upgrade tests related to 1) 7.2up1 > 7.2up4 - (Noticed in Normal upgrade tests). 2) 7.2up2 > 7.2up4 - (Noticed in Normal upgrade tests). and did not notice it in upgrade path 1) 7.2GA > 7.2up4 - (Did not Notice in Normal upgrade tests) 2) 7.0.z > 7.2up4.- (Did not Notice in Normal upgrade tests) So I would say, roughly 50% of my test runs. Nikhil, can you please advise whether the affected installations are replicas or had replicas created from them? If so, could you please precisely describe the topology? Does the problem occur in installations *without* clones? Hi Fraser, Yes the setup consisted of Master,Replica and Client (MRC topology). The issue was noticed on Master as well as Replica. Let me know, if you want I can re-run the task and can provide access accordingly. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5dad49688c5d87df979b926b9de6ab9a1e49becf https://fedorahosted.org/freeipa/changeset/356f262fb7320345fd5f787c383912b9a2d77314 ipa-4-2: https://fedorahosted.org/freeipa/changeset/c72993b02c761f2edbe163a1f6d0dbd7db8bd401 https://fedorahosted.org/freeipa/changeset/f116e51ce3d495758ff71f685b78d4848ce6708c ipa-4-3: https://fedorahosted.org/freeipa/changeset/fc292f53640afcdd819739faba3245abddc04bf7 https://fedorahosted.org/freeipa/changeset/e9672b1a2b191a1622f18a57a2751e4db3e9e39d Server build: ipa-server-4.4.0-3.el7.x86_64 Verified the bug on the basis of following steps: 1. Verified that on running the script on the IPA master URI and OCSP details are displayed correctly. 2. Verified that the script for both MASTER and REPLICA. Thus on the basis of above observation, marking the status of bug to "VERIFIED-FIXED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |