Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1436724 - Renewal of IPA RA fails on replica
Renewal of IPA RA fails on replica
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Pavel Picka
Pavel Picka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-28 09:51 EDT by Petr Vobornik
Modified: 2017-08-01 05:47 EDT (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.5.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:47:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
output (3.17 KB, text/plain)
2017-06-08 04:22 EDT, Pavel Picka 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Petr Vobornik 2017-03-28 09:51:55 EDT 
Cloned from upstream: https://pagure.io/freeipa/issue/6813

FreeIPA configured with CA on the master and no CA on the replica.
If I renew the IPA RA agent on the master, then try to renew the same on the replica, the operation fails on the replica:

    Request ID '20170324090012':
	status: CA_UNREACHABLE
	ca-error: Error 7 connecting to http://replica.example.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=IPA RA,O=EXAMPLE.COM
	expires: 2019-03-14 08:53:32 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes

Note that the agent tries to contact Dogtag on the replica but Dogtag is only installed on the server. The agent should rather try to download the certificate from LDAP.

The issue happens because of a bug in /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit, where the code checks if the certificate is replicated in order to either request renewal or download the renewed cert:

    def is_replicated():
        return not get_nickname()

The code should do the opposite: ie a cert is replicated if get_nickname() returns a name.
Comment 2 Petr Vobornik 2017-03-28 09:52:12 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/6813
Comment 3 Petr Vobornik 2017-03-28 09:56:55 EDT 
master:
    e934da09d5e738c735f874931dd1b54d79b3150b dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function

ipa-4-5:
    8f738f1ea9f86a921e3dc0fd02e57419f3173ed9 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
Comment 7 Pavel Picka 2017-06-08 04:22 EDT 
Created attachment 1286066 [details]
output

verified on ipa-server-4.5.0-14.el7.x86_64
Comment 8 errata-xmlrpc 2017-08-01 05:47:49 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.