Bug 1754902

Summary: Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: ksiddiqu, pasik, pcech, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
verification steps with output none

Description Jan Pazdziora (Red Hat) 2019-09-24 10:45:18 UTC 
Description of problem:

When ipa-server-4.6.5-11.el7.x86_64 and its dependencies from RHEL 7.7 are installed on RHEL 7.6 which is not fully up-to-date, ipa-server-install fails.

Version-Release number of selected component (if applicable):

ipa-server-4.6.5-11.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have RHEL 7.6 machine.
2. Point it to RHEL 7.7 repository.
3. Install ipa-server.
4. Run ipa-server-install.

Actual results:

  [18/29]: Ensure lightweight CAs container exists
  [19/29]: configure certificate renewals
  [20/29]: configure Server-Cert certificate renewal
  [21/29]: Configure HTTP to proxy connections
  [22/29]: restarting certificate server
  [23/29]: updating IPA configuration
  [24/29]: enabling CA instance
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: importing IPA certificate profiles
  [27/29]: adding default CA ACL
  [28/29]: adding 'ipa' CA entry
  [29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
ipapython.admintool: ERROR    CA did not start in 300.0s
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

ipa-server-install passes.

Additional info:

When yum upgrade -y is done before running that ipa-server-install, it passes as well. I suspect nss might be involved. However, if ipa-server or some of its components needs certain other component in a particular version, it should have versioned dependency.
Comment 3 Rob Crittenden 2019-09-24 12:35:02 UTC 
Seems like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1751374
Comment 4 Rob Crittenden 2019-10-31 15:37:40 UTC 
We can't test all possible combinations of package installations. I'm not sure what to do with this. This does not occur on a fully updated installation.
Comment 5 Florence Blanc-Renaud 2020-01-29 16:53:15 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8141
Comment 6 Florence Blanc-Renaud 2020-01-29 16:54:17 UTC 
I didn't test all possible combinations but saw that using RHEL7.6 + 389-ds-base-1.3.9.1-10.el7.x86_64 fails.
On the other hand RHEL 7.6 + 389-ds-base-1.3.9.1-10.el7.x86_64 + nss-3.44.0-4.el7.x86_64 succeeds.

We should bump the Requires of nss to 3.44 in our ipa.spec file for RHEL 7.7+. Linking this BZ to pagure ticket https://pagure.io/freeipa/issue/8141  #8141 Update nss dependency in the ipa-server rpm
Comment 9 Kaleem 2020-04-02 08:01:50 UTC 
Verified.

Please find the attached file (verified-output.txt) for details.
Comment 10 Kaleem 2020-04-02 08:02:53 UTC 
Created attachment 1675638 [details]
verification steps with output
Comment 11 Kaleem 2020-04-02 08:03:48 UTC 
Setting qe_test_coverage to - as no test/automation required for this.
Comment 14 errata-xmlrpc 2020-09-29 19:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936