Bug 1387779
Summary: | Make httpd publish CA certificate on Domain Level 1 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | 7.3 | CC: | ipa-qe, jcholast, jreznik, kborup, mbasti, nsoman, pvoborni, rcritten, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.4.0-14.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1389379 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:42:02 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1389379 |
Description
Petr Vobornik
2016-10-21 21:03:33 UTC
master: * 5d15626b4db8f5e777e037680623badc86b6c31d Make httpd publish its CA certificate on DL1 ipa-4-4: * c84d920ce8b4ca634d72d7bd99652f93f98b0959 Make httpd publish its CA certificate on DL1 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/842bf3d09f4b2de7d4b52005ac970594345455e0 ipa-4-4: https://fedorahosted.org/freeipa/changeset/19a32da65f792bc8f054c14edfcf704876e0257e *** Bug 1403844 has been marked as a duplicate of this bug. *** Verified on RHEL7.4 as per comment6 in bz1389379. ipa-server-4.5.0-11.el7.x86_64 389-ds-base-1.3.6.1-13.el7.x86_64 sssd-1.15.2-29.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 pki-ca-10.4.1-4.el7.noarch selinux-policy-3.13.1-148.el7.noarch [root@replica ~]# ipa-replica-install -P admin -w Secret123 WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Configuring client side components Discovery was successful! Client hostname: replica.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: 2017-05-15 09:00:32 Valid Until: 2037-05-15 09:00:32 Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json' Systemwide CA database updated. Hostname (replica.testrelm.test) does not have A/AAAA record. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/40]: creating directory server instance [2/40]: enabling ldapi [3/40]: configure autobind for root [4/40]: stopping directory server [5/40]: updating configuration in dse.ldif [6/40]: starting directory server [7/40]: adding default schema [8/40]: enabling memberof plugin [9/40]: enabling winsync plugin [10/40]: configuring replication version plugin [11/40]: enabling IPA enrollment plugin [12/40]: configuring uniqueness plugin [13/40]: configuring uuid plugin [14/40]: configuring modrdn plugin [15/40]: configuring DNS plugin [16/40]: enabling entryUSN plugin [17/40]: configuring lockout plugin [18/40]: configuring topology plugin [19/40]: creating indices [20/40]: enabling referential integrity plugin [21/40]: configuring certmap.conf [22/40]: configure new location for managed entries [23/40]: configure dirsrv ccache [24/40]: enabling SASL mapping fallback [25/40]: restarting directory server [26/40]: creating DS keytab [27/40]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded [28/40]: adding sasl mappings to the directory [29/40]: updating schema [30/40]: setting Auto Member configuration [31/40]: enabling S4U2Proxy delegation [32/40]: initializing group membership [33/40]: adding master entry [34/40]: initializing domain level [35/40]: configuring Posix uid/gid generation [36/40]: adding replication acis [37/40]: activating sidgen plugin [38/40]: activating extdom plugin [39/40]: tuning directory server [40/40]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: setting mod_nss port to 443 [3/21]: setting mod_nss cipher suite [4/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/21]: setting mod_nss password file [6/21]: enabling mod_nss renegotiate [7/21]: adding URL rewriting rules [8/21]: configuring httpd [9/21]: setting up httpd keytab [10/21]: configuring Gssproxy [11/21]: setting up ssl [12/21]: configure certmonger for renewals [13/21]: importing CA certificates from LDAP [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC [root@replica ~]# ls /usr/share/ipa/html/ca.crt /usr/share/ipa/html/ca.crt [root@replica ~]# echo Secret123 | kinit admin Password for admin: [root@replica ~]# klist -l Principal name Cache name -------------- ---------- admin KEYRING:persistent:0:0 [root@master ~]# ipa domainlevel-get ----------------------- Current domain level: 1 ----------------------- [root@replica ~]# ipa domainlevel-get ----------------------- Current domain level: 1 ----------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |