Bug 975431

Summary: IPA PKI cannot publish CRL after upgrade
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Tomas Babej <tbabej>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: abokovoy, mkosek, pasteur, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-31.el6 Doc Type: Bug Fix
Doc Text:
Cause: The directory where Identity Management PKI publishes CRL exports (/var/lib/ipa/pki-ca/publish/) got incorrect ownership and permissions after ipa-server package reinstallation or upgrade. Consequence: PKI was not able to update CRL in this directory until the ownership and permissions of the directory were manually amended. Fix: IdM installer and upgrade script were fixed to handle the ownership and permission of the directory correctly. Result: IdM PKI can publish CRL exports after ipa-server package reinstall or upgrade.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 20:53:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-06-18 13:07:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3727

The directory where IPA PKI publishes CRL (`/var/lib/ipa/pki-ca/publish/`) gets wrong ownership after freeipa-server package reinstall which leads to PKI not being able to update CRL in this directory:

{{{
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 .     <<< owned by pkiuser group
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

}}}

/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:

{{{
# yum reinstall freeipa-server
...
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root    root    12288 May 17 04:49 .     <<< owned by root
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der
}}}

PKI then logs errors like these:
{{{
/var/log/pki-ca/system
...
1585.CRLIssuingPoint-MasterCRL - [13/Jun/2013:21:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130613-210000.temp (Permission denied)
1585.CRLIssuingPoint-MasterCRL - [14/Jun/2013:01:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130614-010000.temp (Permission denied)
}}}
Comment 1 Alexander Bokovoy 2013-07-01 09:06:32 UTC 
Re-assign to Tomas Babej.
Comment 3 Martin Kosek 2013-07-16 10:35:45 UTC 
Fixed upstream:

master:
7a105604e265222cf6f96b0ac060d4f1b2504b6c Change group ownership of CRL publish directory
ipa-3-2:
1a5daf0dcfeeec26a3869bf7d278b93f9716163d Change group ownership of CRL publish directory
Comment 5 Scott Poore 2013-09-05 19:44:42 UTC 
Verified.

Version ::

ipa-server-3.0.0-34.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Checking ipa_upgrade_bz975431 -  IPA PKI cannot publish CRL after upgrade
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

drwxrwxr-x. 2 root pkiuser 4096 Sep  5 14:11 /var/lib/ipa/pki-ca/publish
:: [   PASS   ] :: Running 'ls -ld /var/lib/ipa/pki-ca/publish' (Expected 0, got 0)
:: [   PASS   ] :: BZ 975431 not found
Comment 7 errata-xmlrpc 2013-11-21 20:53:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html