Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Depends On: 1301546
Blocks: 1287930 1309382
TreeView+ depends on / blocked
Reported: 2016-01-25 17:11 UTC by Petr Vobornik
Modified: 2020-08-13 08:22 UTC (History)
9 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Clone Of:
: 1309382 (view as bug list)
Last Closed: 2016-11-04 05:50:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
console output with verification steps (22.38 KB, text/plain)
2016-08-19 10:11 UTC, Kaleem
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-01-25 17:11:53 UTC
This bug is created as a clone of upstream ticket:

When installing new CA master, `ipa-ca-install` fails with:
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.

Comment 1 Petr Vobornik 2016-01-25 17:16:39 UTC
Upstream ticket:

Comment 2 Petr Vobornik 2016-01-25 17:16:45 UTC
Upstream ticket:

Comment 3 Petr Vobornik 2016-01-25 17:28:21 UTC
Upstream ticket:

Comment 4 Petr Vobornik 2016-01-25 17:30:23 UTC
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598

Comment 5 Petr Vobornik 2016-01-25 17:32:13 UTC
#5602 is a PKI bug 1035486

Comment 6 Petr Vobornik 2016-01-25 17:35:47 UTC
sorry, bug 1301546

Comment 7 Petr Vobornik 2016-01-28 13:16:26 UTC
Upstream ticket:

Comment 8 Martin Bašti 2016-01-28 15:37:04 UTC
Fixed upstream
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master

Comment 9 Martin Bašti 2016-01-28 15:38:09 UTC
Back to ASSIGNED, there are sill missing features

Comment 13 Petr Vobornik 2016-02-17 16:09:02 UTC
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.

Comment 15 Jan Cholasta 2016-02-23 14:27:01 UTC
Upstream ticket:

Comment 17 Jan Cholasta 2016-03-17 13:08:41 UTC
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.

Comment 18 Jan Cholasta 2016-03-17 13:09:40 UTC
Upstream ticket:

Comment 19 Jan Cholasta 2016-03-17 13:10:44 UTC
Ticket 5506 fixed upstream:

Comment 21 Kaleem 2016-08-19 10:09:19 UTC
IPA version:
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   This is failing and following two bugs reported for this


Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios

Comment 22 Kaleem 2016-08-19 10:11:07 UTC
Created attachment 1192097 [details]
console output with verification steps

Comment 29 errata-xmlrpc 2016-11-04 05:50:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.