Description of problem:
After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with;
2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt
2017-08-22T15:37:42Z DEBUG Process finished, return code=255
2017-08-22T15:37:42Z DEBUG stdout=
2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert
Here's a dump of what's in the certificates:
certutil -L -d /etc/dirsrv/slapd-XX
Certificate Nickname Trust Attributes
XX IPA CA CT,C,C
CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u
The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start.
kinit works. Logging in from the web does not.
Version-Release number of selected component (if applicable):
I'm only done an upgrade once. Not sure.
Steps to Reproduce:
yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA.
Created attachment 1317129 [details]
Cleaned ipaupgrade.log (no server identifying data)
Full ipaupgrade.log from failed attempt.
Web UI login doesn't work because upgrader failed early and thus PKINIT, which is required for Web UI password auth, was not configured.
Flo, could you check if we have a regression?
The issue happens because upgrade stop and starts tracking httpd/ldap certificates and makes 2 assumptions:
- the cert nickname is Server-Cert (which is not always true)
- if ca is enabled, the cert must be tracked by certmonger (which is not always true, the cert can be a 3rd part cert even if CA is installed).
This is a regression introduced in ipa 4.3 (ie present in rhel 7.3 also)
*** Bug 1488520 has been marked as a duplicate of this bug. ***
1. Install IPA master on RHEL 7.3 machine with --external-ca option
2. Signed the generated csr in 1 from external ca
3. Using signed ipa cert complete installation.
4. Set repo for ipa 4.5
5. yum update ipa* sssd
6. Check upgrade logs i.e /var/log/ipaupgrade.log
7. Check the ipa version
8. Check for ipa services
9. Check for web UI login.
Based on above steps upgrade is successful. Web UI login succeed. Thus marking the bug verified.
Created attachment 1363513 [details]
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.