Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1754902

Summary: Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: ksiddiqu, pasik, pcech, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
verification steps with output none

Description Jan Pazdziora (Red Hat) 2019-09-24 10:45:18 UTC 
Description of problem:

When ipa-server-4.6.5-11.el7.x86_64 and its dependencies from RHEL 7.7 are installed on RHEL 7.6 which is not fully up-to-date, ipa-server-install fails.

Version-Release number of selected component (if applicable):

ipa-server-4.6.5-11.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have RHEL 7.6 machine.
2. Point it to RHEL 7.7 repository.
3. Install ipa-server.
4. Run ipa-server-install.

Actual results:

  [18/29]: Ensure lightweight CAs container exists
  [19/29]: configure certificate renewals
  [20/29]: configure Server-Cert certificate renewal
  [21/29]: Configure HTTP to proxy connections
  [22/29]: restarting certificate server
  [23/29]: updating IPA configuration
  [24/29]: enabling CA instance
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: importing IPA certificate profiles
  [27/29]: adding default CA ACL
  [28/29]: adding 'ipa' CA entry
  [29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
ipapython.admintool: ERROR    CA did not start in 300.0s
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

ipa-server-install passes.

Additional info:

When yum upgrade -y is done before running that ipa-server-install, it passes as well. I suspect nss might be involved. However, if ipa-server or some of its components needs certain other component in a particular version, it should have versioned dependency.
Comment 3 Rob Crittenden 2019-09-24 12:35:02 UTC 
Seems like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1751374
Comment 4 Rob Crittenden 2019-10-31 15:37:40 UTC 
We can't test all possible combinations of package installations. I'm not sure what to do with this. This does not occur on a fully updated installation.
Comment 5 Florence Blanc-Renaud 2020-01-29 16:53:15 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8141
Comment 6 Florence Blanc-Renaud 2020-01-29 16:54:17 UTC 
I didn't test all possible combinations but saw that using RHEL7.6 + 389-ds-base-1.3.9.1-10.el7.x86_64 fails.
On the other hand RHEL 7.6 + 389-ds-base-1.3.9.1-10.el7.x86_64 + nss-3.44.0-4.el7.x86_64 succeeds.

We should bump the Requires of nss to 3.44 in our ipa.spec file for RHEL 7.7+. Linking this BZ to pagure ticket https://pagure.io/freeipa/issue/8141  #8141 Update nss dependency in the ipa-server rpm
Comment 9 Kaleem 2020-04-02 08:01:50 UTC 
Verified.

Please find the attached file (verified-output.txt) for details.
Comment 10 Kaleem 2020-04-02 08:02:53 UTC 
Created attachment 1675638 [details]
verification steps with output
Comment 11 Kaleem 2020-04-02 08:03:48 UTC 
Setting qe_test_coverage to - as no test/automation required for this.
Comment 14 errata-xmlrpc 2020-09-29 19:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936