Bug 1902727 - ipa-acme-manage enable fails after upgrade
Summary: ipa-acme-manage enable fails after upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1905919
Blocks: 1851835
TreeView+ depends on / blocked
 
Reported: 2020-11-30 14:06 UTC by Mohammad Rizwan
Modified: 2021-05-18 15:48 UTC (History)
7 users (show)

Fixed In Version: ipa-4.9.0-0.2.rc2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:48:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Mohammad Rizwan 2020-11-30 14:06:35 UTC 
Description of problem:
When RHEL system upgrade to version which provides ACME service, ipa-acme-manage enable fails.

Version-Release number of selected component (if applicable):
RHEL8.4


How reproducible:
always

Steps to Reproduce:
1. Install ipa-server on RHEL8.4 machine
2. upgrade the ipa-server packages to test-compose(latest)
3. run ipa-server-upgrade
4. ipa-acme-manage enable

Actual results:
ipa-acme-manage enable fails.


[root@master ~]# ipa-acme-manage enable
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.

Expected results:
ipa-acme-manage enable fails.

Additional info:
Comment 1 Mohammad Rizwan 2020-11-30 14:08:03 UTC 
upgraded ipa package version: ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64
Comment 2 Rob Crittenden 2020-11-30 14:52:42 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8603
Comment 3 Rob Crittenden 2020-11-30 14:54:17 UTC 
It looks like the IPA RA user, which is used to authenticate to the CA REST API, isn't added as a member to the Enterprise ACME Administrators group in the CA on upgrades so auth fails.
Comment 4 Rob Crittenden 2020-11-30 15:57:43 UTC 
https://github.com/freeipa/freeipa/pull/5305
Comment 5 Rob Crittenden 2020-12-02 15:22:15 UTC 
Fixed upstream
master:
81c97bb9928a88a595b3afe6fa70fcfb267b1440
2068c7c472d3548962dfef76b26ac2ff19dec4dd

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/0d6caf5d0eae315797b36abfe8444827bdd71fb7
https://pagure.io/freeipa/c/ea67962d5d2b4812234bb6c22c85b7716951b2f9
Comment 10 Sudhir Menon 2020-12-24 11:22:26 UTC 
Tested the below scenario manually using nightly compose build.

[root@server1 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)

[root@server1 ~]# rpm -q ipa-server
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64

[root@server1 ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
Updating DNS system records
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Profile 'acmeServerCert' is already in LDAP and enabled; skipping
.....
......
........
Profile 'IECUserRoles' is already in LDAP; skipping
Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping
Profile 'acmeIPAServerCert' is already in LDAP; skipping
[Add default CA ACL]
[Migrating to authselect profile]
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Add root alias to admin account]
Alias already exists
[Setup SPAKE]
[Setup PKINIT]
[Enable server krb5.conf snippet]
[Adding ipa-ca alias to HTTP certificate]
Certificate is OK; nothing to do
The IPA services were upgraded
The ipa-server-upgrade command was successful

[root@server1 ~]# ipa-acme-manage enable
The ipa-acme-manage command was successful

[root@server1 ~]# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful
Comment 13 errata-xmlrpc 2021-05-18 15:48:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Note You need to log in before you can comment on or make changes to this bug.