Description of problem:
kra install fails after ipa cert renewed
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install ipa master
2. get expiration date from /root/ca-agent.p12
- openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes
- cat ca-agent.pem | openssl x509 -noout -enddate
3. move date forward to 20 days before ca-agent.p12 expires
4. wait for certs to be renewed (watch with getcert list)
5. move date to 3 days after ca-agent.p12 expired (i.e 3 days after date from step2).
ipa kra install success
ipa kra install failed
console output :
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/9]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpOgUGVY' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
[error] RuntimeError: KRA configuration failed.
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.
KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
I'm not sure that the issue is with the ca-agent, it may be a red herring. The way to know for sure would be to do the same steps except for the last one: don't set time past the ca-agent expiration. Then try the KRA install then.
I see connection failures to 636 in the KRA debug log but it's hard to correlate by time to errors in the DS log. I see some TLS connections around the same time but no explicit failures. All sorts of stuff fails to install because of the failed connections to port 636.
I tried by not setting time past the ca-agent expiration and it got failed for same error on bot 7.4 and 7.3.
I reproduced the issue in 2 scenarios:
- the one described in this bug
- the one proposed by Rob, ie advancing time to renew the certs but staying in the validity period when launching ipa-kra-install.
This means that the ca-agent.p12 cert validity is probably not the issue. Looking into it further...
There may be two issues here. Ade and I are looking into it.
6a8c847 Don't use admin cert during KRA installation
ca571cf Don't use admin cert during KRA installation
64ebd36 Don't use admin cert during KRA installation
2546ef6 Prevent set_directive from clobbering other keys
1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish
c77f3a5 installutils: refactor set_directive
f688b5d Add tests for installutils.set_directive
f4001e1 Add safe DirectiveSetter context manager
fd316b9 Prevent set_directive from clobbering other keys
7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish
241b83d installutils: refactor set_directive
808b143 Add tests for installutils.set_directive
342a141 Add safe DirectiveSetter context manager
c60fcac Prevent set_directive from clobbering other keys
929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish
a1a5853 installutils: refactor set_directive
d3af8f6 Add tests for installutils.set_directive
a70ce13 Add safe DirectiveSetter context manager
1b87101 Old pylint doesn't support bad python3 option
Verified using IPA version::
Marking BZ as verified. Please see attachment for console log.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
upstream test added:
upstream test added: