Bug 1928900

Summary: Support new baseURL config option for ACME
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: amore, pcech, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.2-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:48:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2021-02-15 19:19:00 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8712

### Issue
ACME uses nonce values to prevent replay attacks. Since the ipa-ca name can go to any of the IPA servers in order to verify the nonce the servers need to know the value that was set which relies on replication. Sometimes the client is faster than replication so a request can fail.

The PKI team addressed this in upstream PR https://github.com/dogtagpki/pki/pull/3435

A new option was added, baseURL, so that upon discovery the ACME server returns the real hostname to bind the client to it.

We can add support now even prior to the upstream builds being available and the option will be ignored in the config file. Once the updated build is available then it should just work(tm).
Comment 1 Rob Crittenden 2021-02-15 19:34:18 UTC 
master:

    d2d487b Set the ACME baseURL in order to pin a client to a single IPA server
    b1e72cb Add versions to the ACME config templates and update on upgrade
    3d2d067 Add some logging around initial ACME deployment

ipa-4-9:

    a16dc59 Set the ACME baseURL in order to pin a client to a single IPA server
    31061c6 Add versions to the ACME config templates and update on upgrade
    6526ab4 Add some logging around initial ACME deployment

This will require manual verification. Ensure that baseURL is set in /etc/pki/pki-tomcat/acme/engine.conf:

baseURL=https://ipa.example.test/acme
Comment 2 anuja 2021-02-17 14:13:06 UTC 
Pre-verified using:
compose: rhel-8.4.0-mbs/9973-1386-idm/

[root@master ~]# rpm -qa ipa-server
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64
[root@master ~]# grep "acme" /etc/pki/pki-tomcat/acme/engine.conf
baseURL=https://master.ipa.test/acme
[root@master ~]#
Comment 6 anuja 2021-02-19 10:55:16 UTC 
Verified using nightly compose:
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64

[root@master ~]# grep "acme" /etc/pki/pki-tomcat/acme/engine.conf
baseURL=https://master.ipa.test/acme
[root@master ~]#
Comment 8 errata-xmlrpc 2021-05-18 15:48:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846