RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On: 1301546
Blocks: 1287930 1309382
TreeView+ depends on / blocked
 
Reported: 2016-01-25 17:11 UTC by Petr Vobornik
Modified: 2020-08-13 08:22 UTC (History)
9 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Clone Of:
: 1309382 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:50:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
console output with verification steps (22.38 KB, text/plain)
2016-08-19 10:11 UTC, Kaleem
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-01-25 17:11:53 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5611

When installing new CA master, `ipa-ca-install` fails with:
{{{
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
}}}
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.

Comment 1 Petr Vobornik 2016-01-25 17:16:39 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5598

Comment 2 Petr Vobornik 2016-01-25 17:16:45 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5602

Comment 3 Petr Vobornik 2016-01-25 17:28:21 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5595

Comment 4 Petr Vobornik 2016-01-25 17:30:23 UTC
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598

Comment 5 Petr Vobornik 2016-01-25 17:32:13 UTC
#5602 is a PKI bug 1035486

Comment 6 Petr Vobornik 2016-01-25 17:35:47 UTC
sorry, bug 1301546

Comment 7 Petr Vobornik 2016-01-28 13:16:26 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5636

Comment 8 Martin Bašti 2016-01-28 15:37:04 UTC
Fixed upstream
master:
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
ipa-4-3:
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888

Comment 9 Martin Bašti 2016-01-28 15:38:09 UTC
Back to ASSIGNED, there are sill missing features

Comment 13 Petr Vobornik 2016-02-17 16:09:02 UTC
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.

Comment 15 Jan Cholasta 2016-02-23 14:27:01 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492

Comment 17 Jan Cholasta 2016-03-17 13:08:41 UTC
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.

Comment 18 Jan Cholasta 2016-03-17 13:09:40 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506

Comment 19 Jan Cholasta 2016-03-17 13:10:44 UTC
Ticket 5506 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/

Comment 21 Kaleem 2016-08-19 10:09:19 UTC
IPA version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1358752
   https://bugzilla.redhat.com/show_bug.cgi?id=1365858
   
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   
   This is failing and following two bugs reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1318616
   https://bugzilla.redhat.com/show_bug.cgi?id=1368388

Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios

Comment 22 Kaleem 2016-08-19 10:11:07 UTC
Created attachment 1192097 [details]
console output with verification steps

Comment 29 errata-xmlrpc 2016-11-04 05:50:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.