RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
Summary: Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
: 1488520 (view as bug list)
Depends On:
Blocks: 1493153
TreeView+ depends on / blocked
 
Reported: 2017-08-23 14:43 UTC by Peter Larsen
Modified: 2020-12-14 09:40 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-21.el7.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1493153 (view as bug list)
Environment:
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Cleaned ipaupgrade.log (no server identifying data) (899.71 KB, application/x-gzip)
2017-08-23 14:55 UTC, Peter Larsen 		no flags Details
automation.log (89.49 KB, text/plain)
2017-12-06 06:40 UTC, Mohammad Rizwan 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 0 None None None 2018-04-10 16:47:24 UTC

Description Peter Larsen 2017-08-23 14:43:16 UTC 
Description of problem:
After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with;
2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt
2017-08-22T15:37:42Z DEBUG Process finished, return code=255
2017-08-22T15:37:42Z DEBUG stdout=
2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert

Here's a dump of what's in the certificates:
certutil -L -d /etc/dirsrv/slapd-XX
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

XX IPA CA                                          CT,C,C
digicertRoot                                                 CT,, 
digicert                                                     CT,, 
CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u

The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start.

kinit works. Logging in from the web does not.

Version-Release number of selected component (if applicable):


How reproducible:
I'm only done an upgrade once. Not sure.

Steps to Reproduce:
yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA.

Actual results:


Expected results:
Upgrade succeeds.

Additional info:
Comment 2 Peter Larsen 2017-08-23 14:55:14 UTC 
Created attachment 1317129 [details]
Cleaned ipaupgrade.log (no server identifying data)

Full ipaupgrade.log from failed attempt.
Comment 3 Petr Vobornik 2017-09-01 22:17:51 UTC 
Web UI login doesn't work because upgrader failed early and thus PKINIT, which is required for Web UI password auth, was not configured.

Flo, could you check if we have a regression?
Comment 4 Florence Blanc-Renaud 2017-09-04 15:42:00 UTC 
The issue happens because upgrade stop and starts tracking httpd/ldap certificates and makes 2 assumptions:
- the cert nickname is Server-Cert (which is not always true)
- if ca is enabled, the cert must be tracked by certmonger (which is not always true, the cert can be a 3rd part cert even if CA is installed).

This is a regression introduced in ipa 4.3 (ie present in rhel 7.3 also)
Comment 5 Florence Blanc-Renaud 2017-09-05 14:24:23 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7141
Comment 6 Florence Blanc-Renaud 2017-09-08 05:46:16 UTC 
*** Bug 1488520 has been marked as a duplicate of this bug. ***
Comment 7 Standa Laznicka 2017-09-19 07:36:17 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/87540fe1ef8a191e521ddf1584b4cbebb7dece94
Comment 9 Standa Laznicka 2017-09-19 12:12:43 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
Comment 11 Tomas Krizek 2017-09-19 13:09:00 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/726a8b269c8843e495168deea3a4951c61de0e72
Comment 14 Mohammad Rizwan 2017-12-06 06:38:41 UTC 
version:
ipa-server-4.5.4-6.el7.x86_64

Steps:
1. Install IPA master on RHEL 7.3 machine with --external-ca option
2. Signed the generated csr in 1 from external ca
3. Using signed ipa cert complete installation.
4. Set repo for ipa 4.5
5. yum update ipa* sssd
6. Check upgrade logs i.e /var/log/ipaupgrade.log
7. Check the ipa version
8. Check for ipa services 
9. Check for web UI login.

Based on above steps upgrade is successful. Web UI login succeed. Thus marking the bug verified.
Comment 15 Mohammad Rizwan 2017-12-06 06:40:30 UTC 
Created attachment 1363513 [details]
automation.log
Comment 18 errata-xmlrpc 2018-04-10 16:46:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918
Note You need to log in before you can comment on or make changes to this bug.