Bug 1387779 - Make httpd publish CA certificate on Domain Level 1
Summary: Make httpd publish CA certificate on Domain Level 1
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Sudhir Menon
: 1403844 (view as bug list)
Depends On:
Blocks: 1389379
TreeView+ depends on / blocked
Reported: 2016-10-21 21:03 UTC by Petr Vobornik
Modified: 2017-08-01 09:42 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1389379 (view as bug list)
Last Closed: 2017-08-01 09:42:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2016-10-21 21:03:33 UTC
This bug is created as a clone of upstream ticket:

When httpd instance gets created on domain level 1, it is set not to publish its CA certificate.

This may possibly cause problems in a corner case during client installation when the certificate fails to download from LDAP and is also not supplied by the user.

Comment 3 Martin Bašti 2016-10-26 15:58:40 UTC
* 5d15626b4db8f5e777e037680623badc86b6c31d Make httpd publish its CA certificate on DL1

Comment 4 Martin Bašti 2016-10-26 16:11:38 UTC
* c84d920ce8b4ca634d72d7bd99652f93f98b0959 Make httpd publish its CA certificate on DL1

Comment 8 Kim Borup 2016-12-12 14:40:03 UTC
*** Bug 1403844 has been marked as a duplicate of this bug. ***

Comment 10 Sudhir Menon 2017-05-16 06:00:32 UTC
Verified on RHEL7.4 as per comment6 in bz1389379.


    [root@replica ~]# ipa-replica-install -P admin -w Secret123
    WARNING: conflicting time&date synchronization service 'chronyd' will
    be disabled in favor of ntpd
    Configuring client side components
    Discovery was successful!
    Client hostname: replica.testrelm.test
    DNS Domain: testrelm.test
    IPA Server: master.testrelm.test
    BaseDN: dc=testrelm,dc=test
    Skipping synchronizing time with NTP server.
    Successfully retrieved CA cert
        Subject:     CN=Certificate Authority,O=TESTRELM.TEST
        Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
        Valid From:  2017-05-15 09:00:32
        Valid Until: 2037-05-15 09:00:32
    Enrolled in IPA realm TESTRELM.TEST
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured sudoers in /etc/nsswitch.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
    trying https://master.testrelm.test/ipa/json
    Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
    trying https://master.testrelm.test/ipa/session/json
    Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
    Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
    Systemwide CA database updated.
    Hostname (replica.testrelm.test) does not have A/AAAA record.
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
    Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
    SSSD enabled
    Configured /etc/openldap/ldap.conf
    Configured /etc/ssh/ssh_config
    Configured /etc/ssh/sshd_config
    Configuring testrelm.test as NIS domain.
    Client configuration complete.
    The ipa-client-install command was successful
Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
    Continue? [no]: yes
    Run connection check to master
    Connection check OK
    Configuring NTP daemon (ntpd)
      [1/4]: stopping ntpd
      [2/4]: writing configuration
      [3/4]: configuring ntpd to start on boot
      [4/4]: starting ntpd
    Done configuring NTP daemon (ntpd).
    Configuring directory server (dirsrv). Estimated time: 30 seconds
      [1/40]: creating directory server instance
      [2/40]: enabling ldapi
      [3/40]: configure autobind for root
      [4/40]: stopping directory server
      [5/40]: updating configuration in dse.ldif
      [6/40]: starting directory server
      [7/40]: adding default schema
      [8/40]: enabling memberof plugin
      [9/40]: enabling winsync plugin
      [10/40]: configuring replication version plugin
      [11/40]: enabling IPA enrollment plugin
      [12/40]: configuring uniqueness plugin
      [13/40]: configuring uuid plugin
      [14/40]: configuring modrdn plugin
      [15/40]: configuring DNS plugin
      [16/40]: enabling entryUSN plugin
      [17/40]: configuring lockout plugin
      [18/40]: configuring topology plugin
      [19/40]: creating indices
      [20/40]: enabling referential integrity plugin
      [21/40]: configuring certmap.conf
      [22/40]: configure new location for managed entries
      [23/40]: configure dirsrv ccache
      [24/40]: enabling SASL mapping fallback
      [25/40]: restarting directory server
      [26/40]: creating DS keytab
      [27/40]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 5 seconds elapsed
    Update succeeded
      [28/40]: adding sasl mappings to the directory
      [29/40]: updating schema
      [30/40]: setting Auto Member configuration
      [31/40]: enabling S4U2Proxy delegation
      [32/40]: initializing group membership
      [33/40]: adding master entry
      [34/40]: initializing domain level
      [35/40]: configuring Posix uid/gid generation
      [36/40]: adding replication acis
      [37/40]: activating sidgen plugin
      [38/40]: activating extdom plugin
      [39/40]: tuning directory server
      [40/40]: configuring directory to start on boot
    Done configuring directory server (dirsrv).
    Configuring Kerberos KDC (krb5kdc)
      [1/5]: configuring KDC
      [2/5]: adding the password extension to the directory
      [3/5]: creating anonymous principal
      [4/5]: starting the KDC
      [5/5]: configuring KDC to start on boot
    Done configuring Kerberos KDC (krb5kdc).
    Configuring kadmin
      [1/2]: starting kadmin
      [2/2]: configuring kadmin to start on boot
    Done configuring kadmin.
    Configuring directory server (dirsrv)
      [1/3]: configuring TLS for DS instance
      [2/3]: importing CA certificates from LDAP
      [3/3]: restarting directory server
    Done configuring directory server (dirsrv).
    Configuring the web interface (httpd)
      [1/21]: stopping httpd
      [2/21]: setting mod_nss port to 443
      [3/21]: setting mod_nss cipher suite
      [4/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
      [5/21]: setting mod_nss password file
      [6/21]: enabling mod_nss renegotiate
      [7/21]: adding URL rewriting rules
      [8/21]: configuring httpd
      [9/21]: setting up httpd keytab
      [10/21]: configuring Gssproxy
      [11/21]: setting up ssl
      [12/21]: configure certmonger for renewals
      [13/21]: importing CA certificates from LDAP
      [14/21]: publish CA cert
      [15/21]: clean up any existing httpd ccaches
      [16/21]: configuring SELinux for httpd
      [17/21]: create KDC proxy config
      [18/21]: enable KDC proxy
      [19/21]: starting httpd
      [20/21]: configuring httpd to start on boot
      [21/21]: enabling oddjobd
    Done configuring the web interface (httpd).
    Configuring ipa-otpd
      [1/2]: starting ipa-otpd
      [2/2]: configuring ipa-otpd to start on boot
    Done configuring ipa-otpd.
    Configuring ipa-custodia
      [1/4]: Generating ipa-custodia config file
      [2/4]: Generating ipa-custodia keys
      [3/4]: starting ipa-custodia
      [4/4]: configuring ipa-custodia to start on boot
    Done configuring ipa-custodia.
    Configuring certificate server (pki-tomcatd)
      [1/2]: configure certmonger for renewals
      [2/2]: Importing RA key
    Done configuring certificate server (pki-tomcatd).
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    Applying LDAP updates
    Upgrading IPA:. Estimated time: 1 minute 30 seconds
      [1/9]: stopping directory server
      [2/9]: saving configuration
      [3/9]: disabling listeners
      [4/9]: enabling DS global lock
      [5/9]: starting directory server
      [6/9]: upgrading server
      [7/9]: stopping directory server
      [8/9]: restoring configuration
      [9/9]: starting directory server
    Restarting the KDC

[root@replica ~]# ls /usr/share/ipa/html/ca.crt
[root@replica ~]#  echo Secret123 | kinit admin
Password for admin@TESTRELM.TEST: 
[root@replica ~]# klist -l
Principal name                 Cache name
--------------                 ----------
admin@TESTRELM.TEST            KEYRING:persistent:0:0

Comment 11 Sudhir Menon 2017-05-16 06:02:04 UTC
[root@master ~]# ipa domainlevel-get
Current domain level: 1

[root@replica ~]# ipa domainlevel-get
Current domain level: 1

Comment 12 errata-xmlrpc 2017-08-01 09:42:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.