RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1326425 - [RFE] Add utility to promote CA replica to CRL master
Summary: [RFE] Add utility to promote CA replica to CRL master
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.1
Assignee: Rob Crittenden
QA Contact: Kaleem
URL:
Whiteboard:
Depends On: 1683261
Blocks: 1550132 1644708 1690037
TreeView+ depends on / blocked
 
Reported: 2016-04-12 15:56 UTC by Thorsten Scherf
Modified: 2020-11-14 10:16 UTC (History)
14 users (show)

Fixed In Version: ipa-4.7.90.pre1-3
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1690037 (view as bug list)
Environment:
Last Closed: 2019-11-05 20:52:26 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3348 0 None None None 2019-11-05 20:52:52 UTC

Description Thorsten Scherf 2016-04-12 15:56:40 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5803

Currently it's a manual process to promote a replica to CRL master and it's error-prone. Ideally we add a new utility to ease this process:

master# ipa-crl-manage disable master.example.test

newmaster# ipa-crl-manage enable

newmaster# ipa-crl-manage status
Comment 1 Marc Sauton 2016-09-24 00:03:31 UTC 
Linking bz 1326425 and salesforce case 01700517 (symcor)

We need to rise the priority of IdM failover on RHEL 7 faster as replica are more often added and removed, and hosts have shorter life time.
The current IdM is seen as "single point of failure" with the manual configuration changes required.
And it gives a false sense of fail-over feature when we suggest to setup a CA on a replica.
For example preparing a replica on a replica running a clone ca will result in a replica installation failure related to the PKI "security domain" in the pkisilent step, which is currently working "as designed", but not good in a deployment.

Upstream FreeIPA 5803 is too far in 4.5 backlog
Add utility to promote CA replica to CRL master
https://fedorahosted.org/freeipa/ticket/5803

Upstream FreeIPA 4911 is in "Future Releases"
[RFE] Share CRLs between servers
https://fedorahosted.org/freeipa/ticket/4911

Upstream Dogtag 1259 is for 10.4 which is far away, like "Future Releases"
Replicated CRL generation
https://fedorahosted.org/pki/ticket/1259
Comment 2 Petr Vobornik 2017-10-16 11:48:36 UTC 
For upcoming months or more the FreeIPA/IdM team is focusing on stability, testability of FreeIPA/IdM and thus postponing any RFEs or non-critical bugs.
Comment 5 Rob Crittenden 2018-06-20 14:44:17 UTC 
(In reply to Marc Sauton from comment #1)
> Linking bz 1326425 and salesforce case 01700517 (symcor)
> 
> We need to rise the priority of IdM failover on RHEL 7 faster as replica are
> more often added and removed, and hosts have shorter life time.
> The current IdM is seen as "single point of failure" with the manual
> configuration changes required.
> And it gives a false sense of fail-over feature when we suggest to setup a
> CA on a replica.
> For example preparing a replica on a replica running a clone ca will result
> in a replica installation failure related to the PKI "security domain" in
> the pkisilent step, which is currently working "as designed", but not good
> in a deployment.

The CRL master has absolutely nothing to do with failover. Lacking one will not affect normal operation at all, particularly installation.

A single CRL master is used to avoid the real possibility that multiple masters could generate CRLs with different contents.

Design page: https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master
Comment 7 Petr Vobornik 2018-08-03 08:28:40 UTC 
There was initial implementation in PR https://github.com/freeipa/freeipa/pull/2053

But it was closed and not-merged with:

"""
The design was to do this as an ipa-advise plugin and after implementing it I think it was a mistake.

This is a rather large python module that generates a rather large bash script. It would be far more maintainable to create a standalone python script to perform the change, ipa-crl-master or something.

We could also include a man page for this which isn't possible for an advise script.
"""
Comment 10 Martin Kosek 2019-01-21 13:29:03 UTC 
During RHEL-7.7 replanning, it was decided that we would target primarily RHEL-8 product for this feature
Comment 12 Florence Blanc-Renaud 2019-03-14 08:41:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/0d23fa92788b1258005e46920505d9b768d30799
https://pagure.io/freeipa/c/4e3a64f70316c98a18e403486f6f8afcec5e24e4
https://pagure.io/freeipa/c/2e73c964e5896eb18006e1ae8b70f2faef484ab3
Comment 14 Florence Blanc-Renaud 2019-03-15 15:45:31 UTC 
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/52770aa5f9223eb26f42b301e54b228708ba83cc
https://pagure.io/freeipa/c/67533b3a1d037f314ad013572e0892ec85ffc288
https://pagure.io/freeipa/c/e654a1b9189e38aafa5faa72cb9587262e13cec2
Comment 17 François Cami 2019-03-19 15:11:56 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/af5abe0d743155953aa91c8e49f9d0199e5fe78a
https://pagure.io/freeipa/c/8fa3e9bf55062bbb6bcf255cc2a0142946adf5c2
https://pagure.io/freeipa/c/52e259b3fe9b6b07cafb7e1b2eea5d7e201a2878
Comment 19 Sumedh Sidhaye 2019-07-08 16:21:17 UTC 
Build used for verification:

ipa-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch
ipa-server-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.x86_64
ipa-server-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch
ipa-server-dns-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch
ipa-client-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.x86_64
ipa-client-common-4.7.90.pre1-3.module+el8.1.0+3389+a3c612fa.noarch

Tests performed:

following scenarios are tested

1. test master enable crlgen already enabled

2. test master disable crlgen

3. test master disable crlgen already disabled

4. test master enable crlgen

5. test crlgen status on replica

6. test crlgen disable on caless replica

7. test crlgen enable on caless replica

8. test crlgen enable on ca replica

9. test crlgen enable on broken master

10. test crlgen disable on broken master

11. test crlgen enable on broken replica

12. test crlgen disable on broken replica

13. test uninstall without ignore last of role

14. test uninstall with ignore last of role

15. test uninstall last master does not require ignore last of role

Hence marking this bugzilla as verified.

Attaching the junit XML for reference.
Comment 23 errata-xmlrpc 2019-11-05 20:52:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348
Note You need to log in before you can comment on or make changes to this bug.