Hide Forgot
Description of problem: After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with; 2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt 2017-08-22T15:37:42Z DEBUG Process finished, return code=255 2017-08-22T15:37:42Z DEBUG stdout= 2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert Here's a dump of what's in the certificates: certutil -L -d /etc/dirsrv/slapd-XX Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XX IPA CA CT,C,C digicertRoot CT,, digicert CT,, CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorporationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start. kinit works. Logging in from the web does not. Version-Release number of selected component (if applicable): How reproducible: I'm only done an upgrade once. Not sure. Steps to Reproduce: yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA. Actual results: Expected results: Upgrade succeeds. Additional info:
Created attachment 1317129 [details] Cleaned ipaupgrade.log (no server identifying data) Full ipaupgrade.log from failed attempt.
Web UI login doesn't work because upgrader failed early and thus PKINIT, which is required for Web UI password auth, was not configured. Flo, could you check if we have a regression?
The issue happens because upgrade stop and starts tracking httpd/ldap certificates and makes 2 assumptions: - the cert nickname is Server-Cert (which is not always true) - if ca is enabled, the cert must be tracked by certmonger (which is not always true, the cert can be a 3rd part cert even if CA is installed). This is a regression introduced in ipa 4.3 (ie present in rhel 7.3 also)
Upstream ticket: https://pagure.io/freeipa/issue/7141
*** Bug 1488520 has been marked as a duplicate of this bug. ***
Fixed upstream master: https://pagure.io/freeipa/c/87540fe1ef8a191e521ddf1584b4cbebb7dece94
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/726a8b269c8843e495168deea3a4951c61de0e72
version: ipa-server-4.5.4-6.el7.x86_64 Steps: 1. Install IPA master on RHEL 7.3 machine with --external-ca option 2. Signed the generated csr in 1 from external ca 3. Using signed ipa cert complete installation. 4. Set repo for ipa 4.5 5. yum update ipa* sssd 6. Check upgrade logs i.e /var/log/ipaupgrade.log 7. Check the ipa version 8. Check for ipa services 9. Check for web UI login. Based on above steps upgrade is successful. Web UI login succeed. Thus marking the bug verified.
Created attachment 1363513 [details] automation.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918