1301687 – issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1301687 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1301546
Blocks:	1287930 1309382
TreeView+	depends on / blocked

Reported:	2016-01-25 17:11 UTC by Petr Vobornik
Modified:	2020-08-13 08:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.2.0-16.el7
Doc Type:	Bug Fix
Doc Text:	Cause: IPA replica install code made wrong assumptions about the install environment. Consequence: The ipa-replica-install and ipa-ca-install commands would fail when installing a replica of a RHEL 6 master with selfsign CA. Fix: Fix IPA replica install code not to assume a recent IPA master with Dogtag CA. Result: The ipa-replica-install and ipa-ca-install work correctly when installing a replica of a RHEL 6 master with selfsign CA.
Clone Of:
Clones:	1309382 (view as bug list)
Environment:
Last Closed:	2016-11-04 05:50:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
console output with verification steps (22.38 KB, text/plain) 2016-08-19 10:11 UTC, Kaleem	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-01-25 17:11:53 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5611

When installing new CA master, `ipa-ca-install` fails with:
{{{
  [23/26]: restarting certificate server
  [24/26]: migrating certificate profiles to LDAP
  [error] IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/conf/CS.cfg'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
}}}
This happens because the `dogtag_version` option is not set to `10` on API initialization, so Dogtag 9 paths are used.

Comment 1 Petr Vobornik 2016-01-25 17:16:39 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5598

Comment 2 Petr Vobornik 2016-01-25 17:16:45 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5602

Comment 3 Petr Vobornik 2016-01-25 17:28:21 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5595

Comment 4 Petr Vobornik 2016-01-25 17:30:23 UTC

there are issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

First it does not work
* installation of replica fails because of incorrect API initialization #5611
* ipa-ca-install fails on replica if the master was updated from CA-less to CA-full #5602

Then environment is in bad state which causes:
* CA server doesn't work - dogtag is unabled to contact LDAP server #5595
* another replica can't be installed #5598

Comment 5 Petr Vobornik 2016-01-25 17:32:13 UTC

#5602 is a PKI bug 1035486

Comment 6 Petr Vobornik 2016-01-25 17:35:47 UTC

sorry, bug 1301546

Comment 7 Petr Vobornik 2016-01-28 13:16:26 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5636

Comment 8 Martin Bašti 2016-01-28 15:37:04 UTC

Fixed upstream
master:
* 72e72615df8b178ebbcb2e4944ba289ef263c951 fix standalone installation of externally signed CA on IPA master
ipa-4-3:
* 87cd18892fcbc520c8d45c5f7624a909c9347779 fix standalone installation of externally signed CA on IPA master
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/24384624b3ad2eb0e5ffe6483c34156c7d335888

Comment 9 Martin Bašti 2016-01-28 15:38:09 UTC

Back to ASSIGNED, there are sill missing features

Comment 11 Martin Bašti 2016-02-01 13:44:34 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/465ce82a4d098c4c419913f30a1a028afc7ae445
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/15357aea39eb9e496439e4ef711b97616ef7ee9a
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c2ade68df88e440cd969bede298f0c1feae59fcc

Comment 13 Petr Vobornik 2016-02-17 16:09:02 UTC

All FreeIPA tickets are fixed except for #5602 which is a tracker ticket for bug 1301546 which is a PKI bug. Therefore moving to POST.

Bug 1301546 will be fixed in different timeframe.

Honza, could you add a note how waiting for bug 1301546 affects IPA and what are the possible workarounds.

Comment 15 Jan Cholasta 2016-02-23 14:27:01 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492

Comment 16 Jan Cholasta 2016-02-23 14:28:47 UTC

Ticket 4492 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/26dee66d1bf05aac5af5f82862ce54585ccde7e4/
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f5fa38399277ab16fa32832f53580651ad4a4026/

Comment 17 Jan Cholasta 2016-03-17 13:08:41 UTC

Ticket 5506 needs to be included as well, see https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c14. Moving back to POST.

Comment 18 Jan Cholasta 2016-03-17 13:09:40 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506

Comment 19 Jan Cholasta 2016-03-17 13:10:44 UTC

Ticket 5506 fixed upstream:
master:
https://fedorahosted.org/freeipa/changeset/a497288b3eafe00ab9c819dd4a51d0b421824b36/

Comment 21 Kaleem 2016-08-19 10:09:19 UTC

IPA version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 

Following five scenarios executed for verification of this bug which were picked from https://bugzilla.redhat.com/show_bug.cgi?id=1309382#c8

(1) ipa-ca-install on replica 

   This fails and following bugs are already reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1358752
   https://bugzilla.redhat.com/show_bug.cgi?id=1365858
   
(2) ipa-replica-install should be successful from master which is converted to CA-full from CA-less

   This is successful

(3) ipa-ca-install should be successfull on a CA-less master and (4) ipa-cert-update should not remove ca-less certs when CA-less to CA-full is converted 

   This is successful. 

(5) ipa-ca-install with external-ca on ca-less master 
   
   This is failing and following two bugs reported for this

   https://bugzilla.redhat.com/show_bug.cgi?id=1318616
   https://bugzilla.redhat.com/show_bug.cgi?id=1368388

Following additional scenario covers tkt 5506

(6) third replica install fails 

    This is successful too.

Please fine the attached console output for successful scenarios

Comment 22 Kaleem 2016-08-19 10:11:07 UTC

Created attachment 1192097 [details]
console output with verification steps

Comment 29 errata-xmlrpc 2016-11-04 05:50:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.