Bug 1502533
Summary: | Changing cert-find to go through the proxy instead of using the port 8080 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | fbarreto, ftweedal, ksiddiqu, ndehadra, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.4-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 16:48:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thorsten Scherf
2017-10-16 07:51:08 UTC
ipa-server version: ipa-server-4.5.4-8.el7.x86_64 VERIFIED the bug on the basis of following observations: A) VERIFIED that, on RHEL 7.4.z IPA MASTER and CLIENT when the ports 8080 are blocked then 'ipa cert-find' command fails (ipa-server-4.5.0-22.el7_4.x86_64) (Reproducer) IPA-Master: ----------- # iptables -A OUTPUT -p tcp -o lo --dport 8080 -j DROP # iptables -A OUTPUT -p tcp -i lo --dport 8080 -j DROP # iptables -A OUTPUT -p tcp -o enp4s0 --dport 8080 -j DROP # iptables -A INPUT -p tcp -i enp4s0 --dport 8080 -j DROP [root@qe-blade-09 ~]# iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- anywhere anywhere tcp dpt:webcache 2 DROP tcp -- anywhere anywhere tcp dpt:webcache Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- anywhere anywhere tcp dpt:webcache 2 DROP tcp -- anywhere anywhere tcp dpt:webcache IPA-CLIENT: -------------- [root@ipaqavmc ~]# kdestroy [root@ipaqavmc ~]# kinit admin Password for admin: [root@ipaqavmc ~]# ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 110] Connection timed out) B) VERIFIED that, on RHEL 7.5 IPA MASTER and CLIENT (ipa-server-4.5.4-8.el7.x86_64) (Fix) when the ports 8080 are blocked then 'ipa cert-find' command is successful. The 'ipa cert-find' command eventually fails when both '8080' and '80' ports are blocked. Thus on the basis of above observations and comment#5 and comment#6, marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918 |