Bug 1309382 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On: 1301687
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-17 11:15 EST by Jan Kurik
Modified: 2016-05-12 05:58 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7_2.12
Doc Type: Bug Fix
Doc Text:
The ipa-replica-install and ipa-ca-install utilities failed when installing a replica of a Red Hat Enterprise Linux 6 master with a self-signed CA certificate. This updates fixes the bug. Note that after running ipa-ca-install, you must run the ipa-certupdate utility. Also, it is not possible to install a replica with a CA certificate against a master that uses a third-party certificate for the httpd service. To work around this problem, issue a temporary IdM certificate for httpd on the master before installing the replica: # certutil -d /etc/httpd/alias -L -n [NICKNAME] -r >backup.crt.der # ipa service-mod HTTP/[HOSTNAME] --certificate= # ipa-getcert start-tracking -d /etc/httpd/alias -n [NICKNAME] -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd # ipa-getcert resubmit -d /etc/httpd/alias -n [NICKNAME] -K HTTP/[HOSTNAME] After installing the replica, revert to the original certificate: # ipa-getcert stop-tracking -d /etc/httpd/alias -n [NICKNAME] # certutil -d /etc/httpd/alias -D -n [NICKNAME] # certutil -d /etc/httpd/alias -A -n [NICKNAME] -t ,, -i backup.crt.der # systemctl restart httpd
Story Points: ---
Clone Of: 1301687
Environment:
Last Closed: 2016-05-12 05:58:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tkt_4492.log (25.08 KB, text/plain)
2016-03-17 08:26 EDT, Abhijeet Kasurde
no flags Details
tkt_5595.log (11.45 KB, text/plain)
2016-03-17 08:27 EDT, Abhijeet Kasurde
no flags Details
tkt_5598.log (16.03 KB, text/plain)
2016-03-17 08:27 EDT, Abhijeet Kasurde
no flags Details
tkt_5611.log (8.64 KB, text/plain)
2016-03-17 08:28 EDT, Abhijeet Kasurde
no flags Details
tkt_5636.log (11.75 KB, text/plain)
2016-03-18 02:36 EDT, Abhijeet Kasurde
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1036 normal SHIPPED_LIVE ipa bug fix update 2016-05-12 09:53:44 EDT

  None (edit)
Description Jan Kurik 2016-02-17 11:15:48 EST
This bug has been copied from bug #1301687 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 3 Jan Cholasta 2016-02-23 09:22:40 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492
Comment 5 Petr Vobornik 2016-02-24 11:26:56 EST
Jan, please provide impact of missing fix for Bug 1301546 and what are the possible workarounds
Comment 6 Jan Cholasta 2016-02-25 03:46:25 EST
The impact is that installing a replica with a CA is not possible against a master which uses a 3rd party cert for httpd.

The workaround is to issue a (temporary) IPA cert for httpd on the master before installing the replica:

# certutil -d /etc/httpd/alias -L -n $NICKNAME -r >backup.crt.der
# ipa service-mod HTTP/$HOSTNAME --certificate=
# ipa-getcert start-tracking -d /etc/httpd/alias -n $NICKNAME -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
# ipa-getcert resubmit -d /etc/httpd/alias -n $NICKNAME -K HTTP/$HOSTNAME

After installing the replica, you can revert to the original cert:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n $NICKNAME
# certutil -d /etc/httpd/alias -D -n $NICKNAME
# certutil -d /etc/httpd/alias -A -n $NICKNAME -t ,, -i backup.crt.der
# systemctl restart httpd
Comment 9 Abhijeet Kasurde 2016-03-17 08:26:13 EDT
Verified using IPA server version ::

ipa-server-4.2.0-15.el7_2.10.x86_64

Please find the console.log for each ticket in attachments.

For https://fedorahosted.org/freeipa/ticket/5636 ticket, there is another bug reported - BZ1318616
Comment 10 Abhijeet Kasurde 2016-03-17 08:26 EDT
Created attachment 1137376 [details]
tkt_4492.log
Comment 11 Abhijeet Kasurde 2016-03-17 08:27 EDT
Created attachment 1137377 [details]
tkt_5595.log
Comment 12 Abhijeet Kasurde 2016-03-17 08:27 EDT
Created attachment 1137379 [details]
tkt_5598.log
Comment 13 Abhijeet Kasurde 2016-03-17 08:28 EDT
Created attachment 1137381 [details]
tkt_5611.log
Comment 14 Jan Cholasta 2016-03-17 09:04:36 EDT
The workaround for bug 1318616 is to run ipa-certupdate right after ipa-ca-install.

To make the workaround actually work, the fix for IPA ticket 5506 needs to be included as well. Moving back to POST.
Comment 15 Jan Cholasta 2016-03-17 09:06:24 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506
Comment 17 Abhijeet Kasurde 2016-03-18 02:36:00 EDT
Verified using IPA version with workaround suggested in comment#14
ipa-server-4.2.0-15.el7_2.12.x86_64

See attachment for console.log.
Comment 18 Abhijeet Kasurde 2016-03-18 02:36 EDT
Created attachment 1137687 [details]
tkt_5636.log
Comment 20 errata-xmlrpc 2016-05-12 05:58:28 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1036.html

Note You need to log in before you can comment on or make changes to this bug.