Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with;
2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt
2017-08-22T15:37:42Z DEBUG Process finished, return code=255
2017-08-22T15:37:42Z DEBUG stdout=
2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert
Here's a dump of what's in the certificates:
certutil -L -d /etc/dirsrv/slapd-XX
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
XX IPA CA CT,C,C
digicertRoot CT,,
digicert CT,,
CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u
The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start.
kinit works. Logging in from the web does not.
Version-Release number of selected component (if applicable):
How reproducible:
I'm only done an upgrade once. Not sure.
Steps to Reproduce:
yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA.
Actual results:
Expected results:
Upgrade succeeds.
Additional info:
Web UI login doesn't work because upgrader failed early and thus PKINIT, which is required for Web UI password auth, was not configured.
Flo, could you check if we have a regression?
Comment 4Florence Blanc-Renaud
2017-09-04 15:42:00 UTC
The issue happens because upgrade stop and starts tracking httpd/ldap certificates and makes 2 assumptions:
- the cert nickname is Server-Cert (which is not always true)
- if ca is enabled, the cert must be tracked by certmonger (which is not always true, the cert can be a 3rd part cert even if CA is installed).
This is a regression introduced in ipa 4.3 (ie present in rhel 7.3 also)
Comment 5Florence Blanc-Renaud
2017-09-05 14:24:23 UTC
version:
ipa-server-4.5.4-6.el7.x86_64
Steps:
1. Install IPA master on RHEL 7.3 machine with --external-ca option
2. Signed the generated csr in 1 from external ca
3. Using signed ipa cert complete installation.
4. Set repo for ipa 4.5
5. yum update ipa* sssd
6. Check upgrade logs i.e /var/log/ipaupgrade.log
7. Check the ipa version
8. Check for ipa services
9. Check for web UI login.
Based on above steps upgrade is successful. Web UI login succeed. Thus marking the bug verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:0918
Description of problem: After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with; 2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt 2017-08-22T15:37:42Z DEBUG Process finished, return code=255 2017-08-22T15:37:42Z DEBUG stdout= 2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert Here's a dump of what's in the certificates: certutil -L -d /etc/dirsrv/slapd-XX Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XX IPA CA CT,C,C digicertRoot CT,, digicert CT,, CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start. kinit works. Logging in from the web does not. Version-Release number of selected component (if applicable): How reproducible: I'm only done an upgrade once. Not sure. Steps to Reproduce: yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA. Actual results: Expected results: Upgrade succeeds. Additional info: