1301687 – issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1301546
Blocks:	1287930 1309382
TreeView+	depends on / blocked

Reported:	2016-01-25 17:11 UTC by Petr Vobornik
Modified:	2020-08-13 08:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.2.0-16.el7
Doc Type:	Bug Fix
Doc Text:	Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Clone Of:
Clones:	1309382 (view as bug list)
Environment:
Last Closed:	2016-11-04 05:50:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
console output with verification steps (22.38 KB, text/plain) 2016-08-19 10:11 UTC, Kaleem	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-01-25 17:11:53 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5611

When installing new CA master, `ipa-ca-install` fails with:
{{{
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
}}}
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.

Comment 1 Petr Vobornik 2016-01-25 17:16:39 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5598

Comment 2 Petr Vobornik 2016-01-25 17:16:45 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5602

Comment 3 Petr Vobornik 2016-01-25 17:28:21 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5595

Comment 4 Petr Vobornik 2016-01-25 17:30:23 UTC

there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598

Comment 5 Petr Vobornik 2016-01-25 17:32:13 UTC

#5602 is a PKI bug 1035486

Comment 6 Petr Vobornik 2016-01-25 17:35:47 UTC

sorry, bug 1301546

Comment 7 Petr Vobornik 2016-01-28 13:16:26 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5636

Comment 8 Martin Bašti 2016-01-28 15:37:04 UTC

Fixed upstream
master:
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
ipa-4-3:
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888

Comment 9 Martin Bašti 2016-01-28 15:38:09 UTC

Back to ASSIGNED, there are sill missing features

Comment 11 Martin Bašti 2016-02-01 13:44:34 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/465ce82a4d098c4c419913f30a1a028afc7ae445
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/15357aea39eb9e496439e4ef711b97616ef7ee9a
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c2ade68df88e440cd969bede298f0c1feae59fcc

Comment 13 Petr Vobornik 2016-02-17 16:09:02 UTC

All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.

Comment 15 Jan Cholasta 2016-02-23 14:27:01 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492

Comment 16 Jan Cholasta 2016-02-23 14:28:47 UTC

Ticket 4492 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/26dee66d1bf05aac5af5f82862ce54585ccde7e4/
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f5fa38399277ab16fa32832f53580651ad4a4026/

Comment 17 Jan Cholasta 2016-03-17 13:08:41 UTC

Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.

Comment 18 Jan Cholasta 2016-03-17 13:09:40 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506

Comment 19 Jan Cholasta 2016-03-17 13:10:44 UTC

Ticket 5506 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/

Comment 21 Kaleem 2016-08-19 10:09:19 UTC

IPA version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1358752
   https://bugzilla.redhat.com/show_bug.cgi?id=1365858
   
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   
   This is failing and following two bugs reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1318616
   https://bugzilla.redhat.com/show_bug.cgi?id=1368388

Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios

Comment 22 Kaleem 2016-08-19 10:11:07 UTC

Created attachment 1192097 [details]
console output with verification steps

Comment 29 errata-xmlrpc 2016-11-04 05:50:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.