Bug 1436724 - Renewal of IPA RA fails on replica
Summary: Renewal of IPA RA fails on replica
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavel Picka
QA Contact: Pavel Picka
Depends On:
TreeView+ depends on / blocked
Reported: 2017-03-28 13:51 UTC by Petr Vobornik
Modified: 2017-08-01 09:47 UTC (History)
6 users (show)

Fixed In Version: ipa-4.5.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:47:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
output (3.17 KB, text/plain)
2017-06-08 08:22 UTC, Pavel Picka
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-28 13:51:55 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6813

FreeIPA configured with CA on the master and no CA on the replica.
If I renew the IPA RA agent on the master, then try to renew the same on the replica, the operation fails on the replica:

    Request ID '20170324090012':
	ca-error: Error 7 connecting to http://replica.example.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2019-03-14 08:53:32 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes

Note that the agent tries to contact Dogtag on the replica but Dogtag is only installed on the server. The agent should rather try to download the certificate from LDAP.

The issue happens because of a bug in /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit, where the code checks if the certificate is replicated in order to either request renewal or download the renewed cert:

    def is_replicated():
        return not get_nickname()

The code should do the opposite: ie a cert is replicated if get_nickname() returns a name.

Comment 2 Petr Vobornik 2017-03-28 13:52:12 UTC
Upstream ticket:

Comment 3 Petr Vobornik 2017-03-28 13:56:55 UTC
    e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function

    8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function

Comment 7 Pavel Picka 2017-06-08 08:22:30 UTC
Created attachment 1286066 [details]

verified on ipa-server-4.5.0-14.el7.x86_64

Comment 8 errata-xmlrpc 2017-08-01 09:47:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.