Bug 1512482
| Summary: | kra install fails after ipa cert renewed | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | amore, frenaud, ftweedal, lmiksik, nsoman, pasik, pvoborni, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.4-7.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 16:48:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
console output : Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpOgUGVY' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information I'm not sure that the issue is with the ca-agent, it may be a red herring. The way to know for sure would be to do the same steps except for the last one: don't set time past the ca-agent expiration. Then try the KRA install then. I see connection failures to 636 in the KRA debug log but it's hard to correlate by time to errors in the DS log. I see some TLS connections around the same time but no explicit failures. All sorts of stuff fails to install because of the failed connections to port 636. I tried by not setting time past the ca-agent expiration and it got failed for same error on bot 7.4 and 7.3. I reproduced the issue in 2 scenarios: - the one described in this bug - the one proposed by Rob, ie advancing time to renew the certs but staying in the validity period when launching ipa-kra-install. This means that the ca-agent.p12 cert validity is probably not the issue. Looking into it further... There may be two issues here. Ade and I are looking into it. master:
6a8c847 Don't use admin cert during KRA installation
ipa-4-6:
ca571cf Don't use admin cert during KRA installation
ipa-4-5:
64ebd36 Don't use admin cert during KRA installation
Upstream ticket: https://pagure.io/freeipa/issue/7288 master:
2546ef6 Prevent set_directive from clobbering other keys
1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish
c77f3a5 installutils: refactor set_directive
f688b5d Add tests for installutils.set_directive
f4001e1 Add safe DirectiveSetter context manager
ipa-4-6:
fd316b9 Prevent set_directive from clobbering other keys
7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish
241b83d installutils: refactor set_directive
808b143 Add tests for installutils.set_directive
342a141 Add safe DirectiveSetter context manager
ipa-4-5:
c60fcac Prevent set_directive from clobbering other keys
929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish
a1a5853 installutils: refactor set_directive
d3af8f6 Add tests for installutils.set_directive
a70ce13 Add safe DirectiveSetter context manager
1b87101 Old pylint doesn't support bad python3 option
Verified using IPA version:: ipa-server-4.5.4-7.el7.x86_64 Marking BZ as verified. Please see attachment for console log. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918 upstream test added: master: https://pagure.io/freeipa/c/b7ae9f7a3f577a61c97953da7e65d09349053380 upstream test added: ipa-4-7: https://pagure.io/freeipa/c/f3822726a630b77508801c00e59dfc1afaec549d |
Description of problem: kra install fails after ipa cert renewed Version-Release number of selected component (if applicable): ipa-server-4.5.0-22.el7_4.x86_64 How reproducible: always Steps to Reproduce: 1. Install ipa master 2. get expiration date from /root/ca-agent.p12 - openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes - cat ca-agent.pem | openssl x509 -noout -enddate 3. move date forward to 20 days before ca-agent.p12 expires 4. wait for certs to be renewed (watch with getcert list) 5. move date to 3 days after ca-agent.p12 expired (i.e 3 days after date from step2). 6. ipa-kra-install Actual results: Expected results: ipa kra install success Additional info: ipa kra install failed