Bug 1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
Summary: Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
: 1488520 (view as bug list)
Depends On:
Blocks: 1493153
TreeView+ depends on / blocked
Reported: 2017-08-23 14:43 UTC by Peter Larsen
Modified: 2020-12-14 09:40 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-21.el7.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1493153 (view as bug list)
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:

Attachments (Terms of Use)
Cleaned ipaupgrade.log (no server identifying data) (899.71 KB, application/x-gzip)
2017-08-23 14:55 UTC, Peter Larsen
no flags Details
automation.log (89.49 KB, text/plain)
2017-12-06 06:40 UTC, Mohammad Rizwan
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 0 None None None 2018-04-10 16:47:24 UTC

Description Peter Larsen 2017-08-23 14:43:16 UTC
Description of problem:
After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with;
2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt
2017-08-22T15:37:42Z DEBUG Process finished, return code=255
2017-08-22T15:37:42Z DEBUG stdout=
2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert

Here's a dump of what's in the certificates:
certutil -L -d /etc/dirsrv/slapd-XX
Certificate Nickname                                         Trust Attributes

XX IPA CA                                          CT,C,C
digicertRoot                                                 CT,, 
digicert                                                     CT,, 
CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u

The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start.

kinit works. Logging in from the web does not.

Version-Release number of selected component (if applicable):

How reproducible:
I'm only done an upgrade once. Not sure.

Steps to Reproduce:
yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA.

Actual results:

Expected results:
Upgrade succeeds.

Additional info:

Comment 2 Peter Larsen 2017-08-23 14:55:14 UTC
Created attachment 1317129 [details]
Cleaned ipaupgrade.log (no server identifying data)

Full ipaupgrade.log from failed attempt.

Comment 3 Petr Vobornik 2017-09-01 22:17:51 UTC
Web UI login doesn't work because upgrader failed early and thus PKINIT, which is required for Web UI password auth, was not configured.

Flo, could you check if we have a regression?

Comment 4 Florence Blanc-Renaud 2017-09-04 15:42:00 UTC
The issue happens because upgrade stop and starts tracking httpd/ldap certificates and makes 2 assumptions:
- the cert nickname is Server-Cert (which is not always true)
- if ca is enabled, the cert must be tracked by certmonger (which is not always true, the cert can be a 3rd part cert even if CA is installed).

This is a regression introduced in ipa 4.3 (ie present in rhel 7.3 also)

Comment 5 Florence Blanc-Renaud 2017-09-05 14:24:23 UTC
Upstream ticket:

Comment 6 Florence Blanc-Renaud 2017-09-08 05:46:16 UTC
*** Bug 1488520 has been marked as a duplicate of this bug. ***

Comment 7 Standa Laznicka 2017-09-19 07:36:17 UTC
Fixed upstream

Comment 9 Standa Laznicka 2017-09-19 12:12:43 UTC
Fixed upstream

Comment 11 Tomas Krizek 2017-09-19 13:09:00 UTC
Fixed upstream

Comment 14 Mohammad Rizwan 2017-12-06 06:38:41 UTC

1. Install IPA master on RHEL 7.3 machine with --external-ca option
2. Signed the generated csr in 1 from external ca
3. Using signed ipa cert complete installation.
4. Set repo for ipa 4.5
5. yum update ipa* sssd
6. Check upgrade logs i.e /var/log/ipaupgrade.log
7. Check the ipa version
8. Check for ipa services 
9. Check for web UI login.

Based on above steps upgrade is successful. Web UI login succeed. Thus marking the bug verified.

Comment 15 Mohammad Rizwan 2017-12-06 06:40:30 UTC
Created attachment 1363513 [details]

Comment 18 errata-xmlrpc 2018-04-10 16:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.