Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Keywords: ZStream
Depends On: 1301546
Blocks: 1287930 1309382
TreeView+ depends on / blocked
 
Reported: 2016-01-25 17:11 UTC by Petr Vobornik
Modified: 2016-11-04 05:50 UTC (History)
9 users (show)

(edit)
Cause: 
IPA replica install code made wrong assumptions about the install environment.

Consequence: 
The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA.

Fix: 
Fix IPA replica install code not to assume a recent IPA master with Dogtag CA.

Result: 
The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Clone Of:
: 1309382 (view as bug list)
(edit)
Last Closed: 2016-11-04 05:50:31 UTC


Attachments (Terms of Use)
console output with verification steps (22.38 KB, text/plain)
2016-08-19 10:11 UTC, Kaleem
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-01-25 17:11:53 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5611

When installing new CA master, `ipa-ca-install` fails with:
{{{
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
}}}
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.

Comment 1 Petr Vobornik 2016-01-25 17:16:39 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5598

Comment 2 Petr Vobornik 2016-01-25 17:16:45 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5602

Comment 3 Petr Vobornik 2016-01-25 17:28:21 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5595

Comment 4 Petr Vobornik 2016-01-25 17:30:23 UTC
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598

Comment 5 Petr Vobornik 2016-01-25 17:32:13 UTC
#5602 is a PKI bug 1035486

Comment 6 Petr Vobornik 2016-01-25 17:35:47 UTC
sorry, bug 1301546

Comment 7 Petr Vobornik 2016-01-28 13:16:26 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5636

Comment 8 Martin Bašti 2016-01-28 15:37:04 UTC
Fixed upstream
master:
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
ipa-4-3:
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888

Comment 9 Martin Bašti 2016-01-28 15:38:09 UTC
Back to ASSIGNED, there are sill missing features

Comment 13 Petr Vobornik 2016-02-17 16:09:02 UTC
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.

Comment 15 Jan Cholasta 2016-02-23 14:27:01 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492

Comment 17 Jan Cholasta 2016-03-17 13:08:41 UTC
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.

Comment 18 Jan Cholasta 2016-03-17 13:09:40 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506

Comment 19 Jan Cholasta 2016-03-17 13:10:44 UTC
Ticket 5506 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/

Comment 21 Kaleem 2016-08-19 10:09:19 UTC
IPA version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1358752
   https://bugzilla.redhat.com/show_bug.cgi?id=1365858
   
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   
   This is failing and following two bugs reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1318616
   https://bugzilla.redhat.com/show_bug.cgi?id=1368388

Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios

Comment 22 Kaleem 2016-08-19 10:11 UTC
Created attachment 1192097 [details]
console output with verification steps

Comment 29 errata-xmlrpc 2016-11-04 05:50:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.