| Summary: | Replica throws error when adding a host cert. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> | |
| Component: | ipa | Assignee: | Deon Ballard <dlackey> | |
| Status: | CLOSED WORKSFORME | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.1 | CC: | dpal, jgalipea, mkosek, rcritten, shaines, syeghiay | |
| Target Milestone: | rc | Keywords: | Reopened | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
The IPA replication topology may be different from the CA replication topology. This means that you can have replication of IPA data and not of CA data.
The impact of this is that the CA's may not have the same view of issued certificates.
When a host or service is deleted any certificates that have been issued are revoked. If the CA cannot revoke a certificate (because it is unknown for example) a fatal error will be raised.
The sequence for this might look something like:
1. Install IPA server on host A
2. Install replica on host B with a CA configured
3. Use ipa-csreplica-manage to break the replication agreement between A and B
4. Add a host to A
5. Issue a certificate for the host on host A
The host will exist on both A and B and both will show a valid certificate. Only the CA on A has a copy of the certificate.
Deleting the host on B will fail because the CA on B doesn't have a copy of the certificate.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 750592 (view as bug list) | Environment: | ||
| Last Closed: | 2011-12-09 15:47:36 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 750592 | |||
|
Description
Namita Soman
2011-10-26 19:32:51 UTC
Can you provide more details how you are adding a new cert? Where did this cert come from? I can help here .. add a new host generate a csr for the host from the Web UI, edit the host ... New Certificate, paste request and submit .. I don't understand. The original bug report is that a certificate for a replica host cannot be replaced. c#3 says that certificate issuance over the webUI doesn't work at all for any host. I am unable to duplicate this, I can issue certs. When a certificate is requested for a host that already has one the first thing we do is attempt to revoke the existing certificate. Is it possible that in replication testing you ended up with a host certificate that was issued by a replica that is disconnected? Sorry - I wasn't clear. Here I have a master and replica, but I am not replacing cert for the replica host. I am actually performing the actions on the replica server, using the UI on the replica. From replica, add a new host, edit the host, and issue the cert, generated using certutil for this host. This throws error, but add the new cert. Can you issue cert for a new host from the replica, without getting the error? Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
The IPA replication topology may be different from the CA replication topology. This means that you can have replication of IPA data and not of CA data.
The impact of this is that the CA's may not have the same view of issued certificates.
When a host or service is deleted any certificates that have been issued are revoked. If the CA cannot revoke a certificate (because it is unknown for example) a fatal error will be raised.
The sequence for this might look something like:
1. Install IPA server on host A
2. Install replica on host B with a CA configured
3. Use ipa-csreplica-manage to break the replication agreement between A and B
4. Add a host to A
5. Issue a certificate for the host on host A
The host will exist on both A and B and both will show a valid certificate. Only the CA on A has a copy of the certificate.
Deleting the host on B will fail because the CA on B doesn't have a copy of the certificate.
Is this the same description as in BZ#750596? Thanks, Martin Looks like it to me. Ok, I believe one description is enough for this issue :) Removing flags. Thanks, Martin Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. *** This bug has been marked as a duplicate of bug 750596 *** This bug is not a duplicate. The other bug is after a replication agreement is removed. This is with fully functional master and replica and trying to add a host certificate on the replica. Re-opening bug. Can you reproduce it at will? Do you have CA installed on the replica or replica does not have a CA? Retested to provide info to your question above - and do not see the issue anymore. With and without CA installed on replica - can issue cert to a host successfully. |