Bug 1445390 - ipa-[ca|kra]-install with invalid DM password break replica
Summary: ipa-[ca|kra]-install with invalid DM password break replica
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-25 14:53 UTC by Petr Vobornik
Modified: 2017-08-01 09:50 UTC (History)
6 users (show)

Fixed In Version: 4.5.0-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-04-25 14:53:25 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6892

CA and KRA replicas can be installed on a replica at a later point in time. The commands ```ipa-ca-install``` and ```ipa-kra-install``` asked for the Directory Manager password, but fail to validate that the password is correct. There is no safe way to recover from a bad password other than complete uninstallation of the entire replica.

```
$ ipa-client-install
...
$ kinit admin
$ ipa-replica-install
...
$ ipa-ca-install
$ ipa-ca-install 
Directory Manager (existing master) password: WrongPassword
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [3/25]: creating installation admin user
  [4/25]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpNKIUbr' returned non-ze1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

CA configuration failed.
```

Comment 2 Petr Vobornik 2017-04-25 14:53:41 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6892

Comment 6 Abhijeet Kasurde 2017-05-26 13:09:42 UTC
Verified using IPA server version :: ipa-server-4.5.0-13.el7.x86_64


[root@ipaserver01 ~]# kdestroy -A
[root@ipaserver01 ~]# ipa-ca-install
Directory Manager (existing master) password:

Directory Manager password is invalid

[root@ipaserver01 ~]# ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/25]: creating certificate server db
  [2/25]: setting up initial replication
[root@ipaserver01 ~]# kdestroy -A
[root@ipaserver01 ~]# ipa-kra-install
Directory Manager password:

Directory Manager password is invalid
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


Marking BZ as verified.

Comment 7 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.