Bug 1756913
Summary: | Sub-CA key replication failure [rhel-7.6.z] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> | |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | urgent | Docs Contact: | ||
Priority: | high | |||
Version: | 7.7 | CC: | frenaud, ftweedal, rcritten, ssidhaye, sumenon, tscherf | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.6.4-10.el7_6.9 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1755223 | |||
: | 1829993 (view as bug list) | Environment: | ||
Last Closed: | 2019-12-10 12:38:29 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1755223 | |||
Bug Blocks: | 1829993 |
Description
RAD team bot copy to z-stream
2019-09-30 08:14:45 UTC
Bugzilla has been verified manually using the below steps [root@master alias]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo) ipa-server-4.6.4-10.el7_6.9.x86_64 389-ds-base-1.3.8.4-25.1.el7_6.x86_64 pki-ca-10.5.9-13.el7_6.noarch 1. install master 2. install replica with CA 3. create a sub-CA on one server (e.g master) #ipa ca-add test_subca --subject='cn=test_subca' #ipa ca-find [root@master alias]# ipa ca-find Name: test_subca Authority ID: b6edadc5-adc2-4245-8ad5-56fef2963eb6 Subject DN: CN=test_subca Issuer DN: CN=Certificate Authority,O=RHEL76.TEST 4. Check the sub-CA signing keys on master. [root@master alias]# pwd /var/lib/pki/pki-tomcat/alias [root@master alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca b6edadc5-adc2-4245-8ad5-56fef2963eb6 u,u,u 5. confirm that after a short time (10 seconds ought to do it), the sub-CA signing keys appear in the Dogtag NSSDB on the OTHER server (certutil -d /etc/pki/pki-tomcat/alias -L) [root@replica alias]# certutil -d . -L caSigningCert cert-pki-ca b6edadc5-adc2-4245-8ad5-56fef2963eb6 u,u,u Hence marking the bug as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:4170 |