Bug 431493
| Summary: | error in ipa-replica-prepare script | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | David O'Brien <daobrien> | ||||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 1.0 | CC: | benl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | freeipa-2.0.0-1.fc15 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-03-27 07:13:35 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 246164, 429034, 430034 | ||||||||
| Attachments: |
|
||||||||
I made the recommended changes to the script and it appears to work now. It would be nice, however, if the script: 1. Told you what it was going to do 2. Provided feedback and info on what to do next (similar to what ipa-server-install does) Is there no "ipaconfig" directory where we could write the replica info file, instead of just into the dir where the command was run (in this particular case /root)? Created attachment 294008 [details]
make replication preparation and installation work again
This bug opened a real can of worms. It turns out that the way the SSL
certificates are created is that the CA, private key and all, is shipped off to
each replica so that the certificates can be generated. Beyond not wanting to
share the CA all over the place the certificates that will be generated will
all have duplicate serial numbers. That led to the following changes:
Use file to store the current CA serial number
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
Created attachment 294022 [details]
keep the CA PKCS#12 creation with this patch
Same patch as before just keeping the CA PKCS#12 file creation and added a
message at the end of install to remind user to back this file up.
Committed in changeset 621
qa verified, bug closed
build used: 4-8-2008 daily build
The following cmd performed to verify the certs:
on ipa master:
ipaserver-wrong[04/08/08 17:01] certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
Serial Number: 1001 (0x3e9)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Server-Cert" | grep "Serial"
Serial Number: 1002 (0x3ea)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Signing-Cert" | grep Serial
on replica server
[root@replica64-1 alias]# certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
Serial Number: 1004 (0x3ec)
[root@replica64-1 alias]# certutil -L -d /etc/httpd/alias/ -n "Server-Cert" |
grep "Serial"
Serial Number: 1005 (0x3ed)
|
Description of problem: > When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ doesn't exist. The directory is actually /etc/dirsrv/slapd-AUSTRALIA-COM/ > edit /usr/lib/python2.5/site-packages/ipaserver/dsinstance.py and make config_dirname() look like: def config_dirname(serverid): return "/etc/dirsrv/slapd-" + realm_to_serverid(serverid) + "/" Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. On a functioning ipa server, run the ipa-replica-prepare script. Actual results: Expected results: Additional info: