Hide Forgot
Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/5611 When installing new CA master, `ipa-ca-install` fails with: {{{ [23/26]: restarting certificate server [24/26]: migrating certificate profiles to LDAP [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. }}} This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5598
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5602
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5595
there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup First it does not work * installation of replica fails because of incorrect API initialization #5611 * ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602 Then environment is in bad state which causes: * CA server doesn't work - dogtag is unabled to contact LDAP server #5595 * another replica can't be installed #5598
#5602 is a PKI bug 1035486
sorry, bug 1301546
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5636
Fixed upstream master: * 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master ipa-4-3: * 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master ipa-4-2: https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888
Back to ASSIGNED, there are sill missing features
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/465ce82a4d098c4c419913f30a1a028afc7ae445 ipa-4-3: https://fedorahosted.org/freeipa/changeset/15357aea39eb9e496439e4ef711b97616ef7ee9a ipa-4-2: https://fedorahosted.org/freeipa/changeset/c2ade68df88e440cd969bede298f0c1feae59fcc
All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST. Bug 1301546 will be fixed in different timeframe. Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4492
Ticket 4492 fixed upstream: master: https://fedorahosted.org/freeipa/changeset/26dee66d1bf05aac5af5f82862ce54585ccde7e4/ ipa-4-2: https://fedorahosted.org/freeipa/changeset/f5fa38399277ab16fa32832f53580651ad4a4026/
Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5506
Ticket 5506 fixed upstream: master: https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/
IPA version: ============ [root@dhcp207-129 ~]# rpm -q ipa-server pki-ca ipa-server-4.4.0-8.el7.x86_64 pki-ca-10.3.3-6.el7.noarch [root@dhcp207-129 ~]# Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8 (1) ipa-ca-install on replica This fails and following bugs are already reported for this https://bugzilla.redhat.com/show_bug.cgi?id=1358752 https://bugzilla.redhat.com/show_bug.cgi?id=1365858 (2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less This is successful (3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted This is successful. (5) ipa-ca-install with external-ca on ca-less master This is failing and following two bugs reported for this https://bugzilla.redhat.com/show_bug.cgi?id=1318616 https://bugzilla.redhat.com/show_bug.cgi?id=1368388 Following additional scenario covers tkt 5506 (6) third replica install fails This is successful too. Please fine the attached console output for successful scenarios
Created attachment 1192097 [details] console output with verification steps
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html