1309382 – issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Bug 1309382 - issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Summary: issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1301687
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-17 16:15 UTC by Jan Kurik
Modified:	2020-08-13 08:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.2.0-15.el7_2.12
Doc Type:	Bug Fix
Doc Text:	The ipa-replica-install and ipa-ca-install utilities failed when installing a replica of a Red Hat Enterprise Linux 6 master with a self-signed CA certificate. This updates fixes the bug. Note that after running ipa-ca-install, you must run the ipa-certupdate utility. Also, it is not possible to install a replica with a CA certificate against a master that uses a third-party certificate for the httpd service. To work around this problem, issue a temporary IdM certificate for httpd on the master before installing the replica: # certutil -d /etc/httpd/alias -L -n [NICKNAME] -r >backup.crt.der # ipa service-mod HTTP/[HOSTNAME] --certificate= # ipa-getcert start-tracking -d /etc/httpd/alias -n [NICKNAME] -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd # ipa-getcert resubmit -d /etc/httpd/alias -n [NICKNAME] -K HTTP/[HOSTNAME] After installing the replica, revert to the original certificate: # ipa-getcert stop-tracking -d /etc/httpd/alias -n [NICKNAME] # certutil -d /etc/httpd/alias -D -n [NICKNAME] # certutil -d /etc/httpd/alias -A -n [NICKNAME] -t ,, -i backup.crt.der # systemctl restart httpd
Clone Of:	1301687
Environment:
Last Closed:	2016-05-12 09:58:28 UTC
Target Upstream Version:

Attachments	(Terms of Use)
tkt_4492.log (25.08 KB, text/plain) 2016-03-17 12:26 UTC, Abhijeet Kasurde	no flags	Details
tkt_5595.log (11.45 KB, text/plain) 2016-03-17 12:27 UTC, Abhijeet Kasurde	no flags	Details
tkt_5598.log (16.03 KB, text/plain) 2016-03-17 12:27 UTC, Abhijeet Kasurde	no flags	Details
tkt_5611.log (8.64 KB, text/plain) 2016-03-17 12:28 UTC, Abhijeet Kasurde	no flags	Details
tkt_5636.log (11.75 KB, text/plain) 2016-03-18 06:36 UTC, Abhijeet Kasurde	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1036	0	normal	SHIPPED_LIVE	ipa bug fix update	2016-05-12 13:53:44 UTC

Description Jan Kurik 2016-02-17 16:15:48 UTC

This bug has been copied from bug #1301687 and has been proposed
to be backported to 7.2 z-stream (EUS).

Comment 3 Jan Cholasta 2016-02-23 14:22:40 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4492

Comment 5 Petr Vobornik 2016-02-24 16:26:56 UTC

Jan, please provide impact of missing fix for Bug 1301546 and what are the possible workarounds

Comment 6 Jan Cholasta 2016-02-25 08:46:25 UTC

The impact is that installing a replica with a CA is not possible against a master which uses a 3rd party cert for httpd.

The workaround is to issue a (temporary) IPA cert for httpd on the master before installing the replica:

# certutil -d /etc/httpd/alias -L -n $NICKNAME -r >backup.crt.der
# ipa service-mod HTTP/$HOSTNAME --certificate=
# ipa-getcert start-tracking -d /etc/httpd/alias -n $NICKNAME -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
# ipa-getcert resubmit -d /etc/httpd/alias -n $NICKNAME -K HTTP/$HOSTNAME

After installing the replica, you can revert to the original cert:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n $NICKNAME
# certutil -d /etc/httpd/alias -D -n $NICKNAME
# certutil -d /etc/httpd/alias -A -n $NICKNAME -t ,, -i backup.crt.der
# systemctl restart httpd

Comment 9 Abhijeet Kasurde 2016-03-17 12:26:13 UTC

Verified using IPA server version ::

ipa-server-4.2.0-15.el7_2.10.x86_64

Please find the console.log for each ticket in attachments.

For https://fedorahosted.org/freeipa/ticket/5636 ticket, there is another bug reported - BZ1318616

Comment 10 Abhijeet Kasurde 2016-03-17 12:26:56 UTC

Created attachment 1137376 [details]
tkt_4492.log

Comment 11 Abhijeet Kasurde 2016-03-17 12:27:20 UTC

Created attachment 1137377 [details]
tkt_5595.log

Comment 12 Abhijeet Kasurde 2016-03-17 12:27:45 UTC

Created attachment 1137379 [details]
tkt_5598.log

Comment 13 Abhijeet Kasurde 2016-03-17 12:28:08 UTC

Created attachment 1137381 [details]
tkt_5611.log

Comment 14 Jan Cholasta 2016-03-17 13:04:36 UTC

The workaround for bug 1318616 is to run ipa-certupdate right after ipa-ca-install.

To make the workaround actually work, the fix for IPA ticket 5506 needs to be included as well. Moving back to POST.

Comment 15 Jan Cholasta 2016-03-17 13:06:24 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5506

Comment 17 Abhijeet Kasurde 2016-03-18 06:36:00 UTC

Verified using IPA version with workaround suggested in comment#14
ipa-server-4.2.0-15.el7_2.12.x86_64

See attachment for console.log.

Comment 18 Abhijeet Kasurde 2016-03-18 06:36:41 UTC

Created attachment 1137687 [details]
tkt_5636.log

Comment 20 errata-xmlrpc 2016-05-12 09:58:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1036.html

Note You need to log in before you can comment on or make changes to this bug.