Bug 1596629 - ipa-replica-install --setup-kra broken on DL0 with latest version
Summary: ipa-replica-install --setup-kra broken on DL0 with latest version
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Alexander Bokovoy
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
Blocks: 1614837
TreeView+ depends on / blocked
Reported: 2018-06-29 10:28 UTC by Nikhil Dehadrai
Modified: 2019-04-10 03:52 UTC (History)
11 users (show)

Fixed In Version: pki-core-10.5.9-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1614837 (view as bug list)
Last Closed: 2018-10-30 11:07:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Console_Output _for Verification of Scenario (23.96 KB, text/plain)
2018-08-23 08:11 UTC, Nikhil Dehadrai
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:07:43 UTC

Description Nikhil Dehadrai 2018-06-29 10:28:17 UTC
Description of problem:
ipa-replica-install --setup-kra broken on DL0 with latest version

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup IPA at DL0
2. Setup Replica with KRA at DL0
3. Check ipareplica-install.log

Actual results:
ipa-replica installation fails

Expected results:
ipa-replica-installation with KRA should be successful

Additional info:
The issue is not observed in RHEL75z testing

Comment 6 Florence Blanc-Renaud 2018-07-10 05:09:29 UTC
Upstream ticket:

Comment 7 Florence Blanc-Renaud 2018-07-30 16:02:32 UTC
Bug analysis
Valid bug: yes
Regression: yes
Regression introduction: 389-ds-base-1.3.7 with the 389-ds patch for https://pagure.io/389-ds-base/issue/49599
Affected versions: RHEL 7.6
Use cases (reproduction steps): 
* install replica with KRA in domain level 0:
** install ipa server in dl 0 with ca and kra (--domain-level 0 --setup-kra)
** prepare replica with ipa-replica-prepare
** install replica with ipa-replica-install --setup-ca --setup-kra /path/to/replica-file

Cause: pkispawn is failing when configuring the replication for CA.
During repl setup, pkispawn is reading the attribute nsds5replicaLastInitStatus in cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config in order to find the replication status.
The new format (in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update succeeded" but pkispawn is expecting "0 Total update succeeded" (see https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java#L2028).

Consequence: ipa-server-install fails in pkispawn step.
Workaround: None

Due to the above analysis, I am moving this issue to pki-core component.

Comment 8 Alexander Bokovoy 2018-08-02 07:44:10 UTC
I sent two pull requests for master and 10.5 branches:
https://github.com/dogtagpki/pki/pull/20 and https://github.com/dogtagpki/pki/pull/21

Please review and commit. We need this fixed pretty fast.

Comment 9 Fraser Tweedale 2018-08-02 15:19:16 UTC
Thanks Alexander; patches merged:

master: 8147769f8bc8a41afa77dfcd97464dc736d61935
DOGTAG_10_5_BRANCH: 151ecf63106425cada104d141a81722570ba2b28

I guess we need to collect some ACKs and then someone (Matt?)
will build a build.

Comment 10 Tibor Dudlák 2018-08-09 12:18:10 UTC

is there something i can do to unblock this issue?

Comment 11 Alexander Bokovoy 2018-08-09 12:43:40 UTC
Looks like this is already merged and available in 10.6.5.

Comment 16 Nikhil Dehadrai 2018-08-13 14:36:52 UTC
ipa-server: ipa-

Verified that the ipa-replica-installation with KRA at DL0 is successful and the error mentioned in bug is no more observed.

Thus marking the status of bug to 'VERIFIED'.

Comment 18 Nikhil Dehadrai 2018-08-23 08:11:27 UTC
Created attachment 1478095 [details]
Console_Output _for Verification of Scenario

Console_Output _for Verification of Scenario

Comment 21 errata-xmlrpc 2018-10-30 11:07:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.