Bug 1547995

Summary: CRL url on replicas gets incorrectly redirected
Product: Red Hat Enterprise Linux 7 Reporter: Johan Swensson <jswensso>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: cheimes, myusuf, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johan Swensson 2018-02-22 13:55:04 UTC 
Description of problem:
On a IDM replica the CRL url gets redirected to an incorrect URL.
This does not happen when trying the first IDM server's CRL URL.

How reproducible:
Every time, against a IDM replica

Steps to Reproduce:
1. deploy idm
2. deploy a replica
3. try to fetch http://replica.example.com/ipa/crl/MasterCRL.bin from the replica

Actual results:
Request gets redirected to https://replica.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL

Expected results:
The request should not be redirected

Additional info:
This only happens against replicas, not the first IDM server.
Comment 3 fbarreto 2018-03-07 13:26:57 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7433
Comment 4 Christian Heimes 2018-03-16 06:43:00 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/bfd11701188bb1d41bf0d15942b8bd2776cfa159
Comment 6 Mohammad Rizwan 2018-08-27 09:57:31 UTC 
version:
ipa-server-4.6.4-6.el7.x86_64

Steps:
1. install ipa  Master
2. install ipa  Replica
3. try to fetch http://<replica-fqdn>/ipa/crl/MasterCRL.bin from the replica


Actual result:

[root@hp-dl380pgen8-02-vm-14 ~]# wget http://hp-dl380pgen8-02-vm-14.testrelm.test/ipa/crl/MasterCRL.bin
--2018-08-27 05:47:36--  http://hp-dl380pgen8-02-vm-14.testrelm.test/ipa/crl/MasterCRL.bin
Resolving hp-dl380pgen8-02-vm-14.testrelm.test (hp-dl380pgen8-02-vm-14.testrelm.test)... 10.16.46.36
Connecting to hp-dl380pgen8-02-vm-14.testrelm.test (hp-dl380pgen8-02-vm-14.testrelm.test)|10.16.46.36|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [following]
--2018-08-27 05:47:36--  http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Reusing existing connection to hp-dl380pgen8-02-vm-14.testrelm.test:80.
HTTP request sent, awaiting response... 200 OK
Length: 438 [application/octet-stream]
Saving to: ‘MasterCRL.bin’

100%[========================================================================================================>] 438         --.-K/s   in 0s      

2018-08-27 05:47:36 (46.4 MB/s) - ‘MasterCRL.bin’ saved [438/438]

[root@hp-dl380pgen8-02-vm-14 ~]# ll
total 76
-rw-------. 1 root    root    22079 Aug 27 05:01 anaconda-ks.cfg
-rw-r--r--. 1 pkiuser pkiuser 11324 Aug 27 05:27 cacert.p12
drwxr-xr-x. 2 root    root     4096 Aug 27 05:31 dev-shm-backup
-rw-r--r--. 1 root    root      438 Aug 27 05:47 MasterCRL.bin
-rw-r--r--. 1 root    root        4 Aug 27 05:00 NETBOOT_METHOD.TXT
-rw-------. 1 root    root    21576 Aug 27 05:01 original-ks.cfg
-rw-r--r--. 1 root    root        8 Aug 27 05:00 RECIPE.TXT


[root@hp-dl380pgen8-02-vm-14 ~]# curl http://hp-dl380pgen8-02-vm-14.testrelm.test/ipa/crl/MasterCRL.bin
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&amp;crlIssuingPoint=MasterCRL">here</a>.</p>
</body></html>


The request is redirected to http port and not https port (as reported in bz initially) :
[..]
<p>The document has moved <a href="http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&amp;crlIssuingPoint=MasterCRL">here</a>.</p>
[..]

and
[..]
Location: http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [following]
--2018-08-27 05:47:36--  http://hp-dl380pgen8-02-vm-14.testrelm.test/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
[..]

Hence based on above observation, marking the bug as verified.
Comment 8 errata-xmlrpc 2018-10-30 10:57:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187