Bug 1902727
| Summary: | ipa-acme-manage enable fails after upgrade | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | ksiddiqu, ndehadra, pasik, rcritten, ssidhaye, sumenon, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.9.0-0.2.rc2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:48:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1905919 | ||
| Bug Blocks: | 1851835 | ||
|
Description
Mohammad Rizwan
2020-11-30 14:06:35 UTC
upgraded ipa package version: ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64 Upstream ticket: https://pagure.io/freeipa/issue/8603 It looks like the IPA RA user, which is used to authenticate to the CA REST API, isn't added as a member to the Enterprise ACME Administrators group in the CA on upgrades so auth fails. Fixed upstream master: 81c97bb9928a88a595b3afe6fa70fcfb267b1440 2068c7c472d3548962dfef76b26ac2ff19dec4dd Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/0d6caf5d0eae315797b36abfe8444827bdd71fb7 https://pagure.io/freeipa/c/ea67962d5d2b4812234bb6c22c85b7716951b2f9 Tested the below scenario manually using nightly compose build. [root@server1 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.4 Beta (Ootpa) [root@server1 ~]# rpm -q ipa-server ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 [root@server1 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] Updating DNS system records named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Profile 'acmeServerCert' is already in LDAP and enabled; skipping ..... ...... ........ Profile 'IECUserRoles' is already in LDAP; skipping Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping Profile 'acmeIPAServerCert' is already in LDAP; skipping [Add default CA ACL] [Migrating to authselect profile] [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add root alias to admin account] Alias already exists [Setup SPAKE] [Setup PKINIT] [Enable server krb5.conf snippet] [Adding ipa-ca alias to HTTP certificate] Certificate is OK; nothing to do The IPA services were upgraded The ipa-server-upgrade command was successful [root@server1 ~]# ipa-acme-manage enable The ipa-acme-manage command was successful [root@server1 ~]# ipa-acme-manage status ACME is enabled The ipa-acme-manage command was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |