Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On: 1301546
Blocks: 1287930 1309382
  Show dependency treegraph
Reported: 2016-01-25 12:11 EST by Petr Vobornik
Modified: 2016-11-04 01:50 EDT (History)
9 users (show)

See Also:
Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Story Points: ---
Clone Of:
: 1309382 (view as bug list)
Last Closed: 2016-11-04 01:50:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
console output with verification steps (22.38 KB, text/plain)
2016-08-19 06:11 EDT, Kaleem
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 09:56:18 EDT

  None (edit)
Description Petr Vobornik 2016-01-25 12:11:53 EST
This bug is created as a clone of upstream ticket:

When installing new CA master, `ipa-ca-install` fails with:
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.
Comment 1 Petr Vobornik 2016-01-25 12:16:39 EST
Upstream ticket:
Comment 2 Petr Vobornik 2016-01-25 12:16:45 EST
Upstream ticket:
Comment 3 Petr Vobornik 2016-01-25 12:28:21 EST
Upstream ticket:
Comment 4 Petr Vobornik 2016-01-25 12:30:23 EST
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598
Comment 5 Petr Vobornik 2016-01-25 12:32:13 EST
#5602 is a PKI bug 1035486
Comment 6 Petr Vobornik 2016-01-25 12:35:47 EST
sorry, bug 1301546
Comment 7 Petr Vobornik 2016-01-28 08:16:26 EST
Upstream ticket:
Comment 8 Martin Bašti 2016-01-28 10:37:04 EST
Fixed upstream
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
Comment 9 Martin Bašti 2016-01-28 10:38:09 EST
Back to ASSIGNED, there are sill missing features
Comment 13 Petr Vobornik 2016-02-17 11:09:02 EST
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.
Comment 15 Jan Cholasta 2016-02-23 09:27:01 EST
Upstream ticket:
Comment 17 Jan Cholasta 2016-03-17 09:08:41 EDT
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.
Comment 18 Jan Cholasta 2016-03-17 09:09:40 EDT
Upstream ticket:
Comment 19 Jan Cholasta 2016-03-17 09:10:44 EDT
Ticket 5506 fixed upstream:
Comment 21 Kaleem 2016-08-19 06:09:19 EDT
IPA version:
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   This is failing and following two bugs reported for this


Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios
Comment 22 Kaleem 2016-08-19 06:11 EDT
Created attachment 1192097 [details]
console output with verification steps
Comment 29 errata-xmlrpc 2016-11-04 01:50:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.