IPA replica install code made wrong assumptions about the install environment.
The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA.
Fix IPA replica install code not to assume a recent IPA master with Dogtag CA.
The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
This bug is created as a clone of upstream ticket:
When installing new CA master, `ipa-ca-install` fails with:
[23/26]: restarting certificate server
[24/26]: migrating certificate profiles to LDAP
[error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602
Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598
#5602 is a PKI bug 1035486
sorry, bug 1301546
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
Back to ASSIGNED, there are sill missing features
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.
Bug 1301546 will be fixed in different timeframe.
Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.
Ticket 4492 fixed upstream:
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.
Ticket 5506 fixed upstream:
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8
(1) ipa-ca-install on replica
This fails and following bugs are already reported for this
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less
This is successful
(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted
This is successful.
(5) ipa-ca-install with external-ca on ca-less master
This is failing and following two bugs reported for this
Following additional scenario covers tkt 5506
(6) third replica install fails
This is successful too.
Please fine the attached console output for successful scenarios
Created attachment 1192097 [details]
console output with verification steps
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.