Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On: 1301546
Blocks: 1287930 1309382
  Show dependency treegraph
 
Reported: 2016-01-25 12:11 EST by Petr Vobornik
Modified: 2016-11-04 01:50 EDT (History)
9 users (show)

See Also:
Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Story Points: ---
Clone Of:
: 1309382 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:50:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console output with verification steps (22.38 KB, text/plain)
2016-08-19 06:11 EDT, Kaleem
no flags Details

  None (edit)
Description Petr Vobornik 2016-01-25 12:11:53 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5611

When installing new CA master, `ipa-ca-install` fails with:
{{{
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
}}}
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.
Comment 1 Petr Vobornik 2016-01-25 12:16:39 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5598
Comment 2 Petr Vobornik 2016-01-25 12:16:45 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5602
Comment 3 Petr Vobornik 2016-01-25 12:28:21 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5595
Comment 4 Petr Vobornik 2016-01-25 12:30:23 EST
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598
Comment 5 Petr Vobornik 2016-01-25 12:32:13 EST
#5602 is a PKI bug 1035486
Comment 6 Petr Vobornik 2016-01-25 12:35:47 EST
sorry, bug 1301546
Comment 7 Petr Vobornik 2016-01-28 08:16:26 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5636
Comment 8 Martin Bašti 2016-01-28 10:37:04 EST
Fixed upstream
master:
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
ipa-4-3:
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888
Comment 9 Martin Bašti 2016-01-28 10:38:09 EST
Back to ASSIGNED, there are sill missing features
Comment 13 Petr Vobornik 2016-02-17 11:09:02 EST
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.
Comment 15 Jan Cholasta 2016-02-23 09:27:01 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492
Comment 17 Jan Cholasta 2016-03-17 09:08:41 EDT
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.
Comment 18 Jan Cholasta 2016-03-17 09:09:40 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506
Comment 19 Jan Cholasta 2016-03-17 09:10:44 EDT
Ticket 5506 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/
Comment 21 Kaleem 2016-08-19 06:09:19 EDT
IPA version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1358752
   https://bugzilla.redhat.com/show_bug.cgi?id=1365858
   
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   
   This is failing and following two bugs reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1318616
   https://bugzilla.redhat.com/show_bug.cgi?id=1368388

Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios
Comment 22 Kaleem 2016-08-19 06:11 EDT
Created attachment 1192097 [details]
console output with verification steps
Comment 29 errata-xmlrpc 2016-11-04 01:50:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.