Bug 1436724

Summary: Renewal of IPA RA fails on replica
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: Pavel Picka <ppicka>
Status: CLOSED ERRATA QA Contact: Pavel Picka <ppicka>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: frenaud, ksiddiqu, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output none

Description Petr Vobornik 2017-03-28 13:51:55 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6813

FreeIPA configured with CA on the master and no CA on the replica.
If I renew the IPA RA agent on the master, then try to renew the same on the replica, the operation fails on the replica:

    Request ID '20170324090012':
	status: CA_UNREACHABLE
	ca-error: Error 7 connecting to http://replica.example.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=IPA RA,O=EXAMPLE.COM
	expires: 2019-03-14 08:53:32 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes

Note that the agent tries to contact Dogtag on the replica but Dogtag is only installed on the server. The agent should rather try to download the certificate from LDAP.

The issue happens because of a bug in /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit, where the code checks if the certificate is replicated in order to either request renewal or download the renewed cert:

    def is_replicated():
        return not get_nickname()

The code should do the opposite: ie a cert is replicated if get_nickname() returns a name.
Comment 2 Petr Vobornik 2017-03-28 13:52:12 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6813
Comment 3 Petr Vobornik 2017-03-28 13:56:55 UTC 
master:
    e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function

ipa-4-5:
    8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
Comment 7 Pavel Picka 2017-06-08 08:22:30 UTC 
Created attachment 1286066 [details]
output

verified on ipa-server-4.5.0-14.el7.x86_64
Comment 8 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304