Bug 2049174

Summary: KRA GetStatus service blocked by IPA proxy
Product: Red Hat Enterprise Linux 9 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: amore, ipa-qe, rcritten, ssidhaye, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.8-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2049167 Environment:
Last Closed: 2022-05-17 12:44:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2049167    
Bug Blocks: 2049311, 2184491    

Description Florence Blanc-Renaud 2022-02-01 17:08:54 UTC 
+++ This bug was initially created as a clone of Bug #2049167 +++

Cloned from upstream: https://pagure.io/freeipa/issue/9099

Currently IPA proxy does not provide access to KRA `GetStatus` service:
https://github.com/freeipa/freeipa/blob/master/install/share/ipa-pki-proxy.conf.template

Please provide access to `/kra/admin/kra/getStatus`. This is needed by `pki-healthcheck` tool in order to work properly in IPA environment.

--- Additional comment from Florence Blanc-Renaud on 2022-02-01 17:06:16 UTC ---

Upstream ticket:
https://pagure.io/freeipa/issue/9099

--- Additional comment from Florence Blanc-Renaud on 2022-02-01 17:07:52 UTC ---

Fixed upstream:
master:
    f3636c6 ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
    https://pagure.io/freeipa/c/f3636c6afa75d9822a2fd1a535415b09f3fe1867

ipa-4-9:
    9bae549 ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
    https://pagure.io/freeipa/c/9bae5492270d8b695999cd82831cbee62b04626b
Comment 1 Florence Blanc-Renaud 2022-02-02 09:43:31 UTC 
Note for QE:
there is already an integration test that can be used to verify the fix, in (upstream) test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica

Currently the test is failing when running ipa-healthcheck with the following error:
Internal error testing KRA clone. KRA clone problem detected  Host: replica1.ipa.test Port: 443
[
  {
    "source": "pki.server.healthcheck.clones.connectivity_and_data",
    "check": "ClonesConnectivyAndDataCheck",
    "result": "ERROR",
    "uuid": "abd43647-a4d7-4da0-b970-d23538bbb5dd",
    "when": "20201115044756Z",
    "duration": "5.190928",
    "kw": {
      "status": "ERROR:  pki-tomcat : Internal error testing KRA clone. Host: replica1.ipa.test Port: 443"
    }
  }
]

With this fix + *a fix in pki*, the test should pass.

The other way to verify this test is to use curl (it doesn't require the pki part of the fix).
Install ipa-server with --setup-kra
Without the fix:

# curl  https://`hostname`/kra/admin/kra/getStatus
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

With the fix:

# curl https://`hostname`/kra/admin/kra/getStatus
<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>KRA</Type><Status>running</Status><Version>10.10.7-1.fc34</Version></XMLResponse>
Comment 7 errata-xmlrpc 2022-05-17 12:44:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: ipa), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2387