Description of problem:
tomcat 184.108.40.206 changed a connector attribute name from requiredSecret to secret. See https://tomcat.apache.org/connectors-doc/reference/workers.html
PKI unconditionally adds a new "secret" attribute to the connectors in server.xml regardless of version. I don't know what is adding it but it appears immediately after IPA installation is complete.
It looks like:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector1" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector2" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>
Some users of CentOS Stream 8 have reported authentication issues with the CA. They reported that removing the secret value and ensuring that requiredSecret matches the IPA configuration their CA works again.
For IPA the secret value need to match with the Apache configuration in /etc/ipa/ipa-pki-proxy.conf.
I haven't been able to reproduce in RHEL. Still, it is probably not valid to have both of these values set at the same time (and they appear to have differing secrets which I don't know is good or bad).
Not sure if this is related but there appears to have been an error in refactoring of commit https://github.com/dogtagpki/pki/commit/e70373ab131aba810f318c1d917896392b49ff4b
The version conditional was lost. The requiredSecret -> secret conversion should not be done in versions lower than 220.127.116.11.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ipa-server-install <options>
2. pki-server upgrade
3. grep secret /etc/pki/pki-tomcat/server.xml
Does CentOS Stream 8 work like RHEL 8? We only test against RHEL 8, and in RHEL 8 we assume there is only one Tomcat version per PKI version, so the version check was not necessary.
Instead of restoring the version check and having to support multiple Tomcat versions, can we simply require tomcat >= 9.0.31 and drop the requiredSecret?
Also note that the above commit doesn't change the upgrade behavior, i.e. replacing requiredSecret with secret, so I'm not sure how it ends up with both. Does IPA modify any of these attributes in server.xml?
I guess as long as that version of tomcat is available it's fine to set it as the minimum.
IPA also upgrades these settings in https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L351 and it needs to keep the secrets in sync with its proxy configuration otherwise most CA requests fail with a 403.
I wasn't able to reproduce the behavior but at least three freeIPA users reported that they had both values set, with different secrets. IPA tries to honor existing secrets so its very possible it got confused by seeing both values, but like I said, I tried that and it worked for me.
Fixed in v10.12 branch (PKI 10.12):
Fixed in master branch (PKI 11.1):
Marking the bugzilla verified using
[root@server yum.repos.d]# pki-server upgrade --verbose
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Upgrading PKI server pki-tomcat
INFO: Setting pki-tomcat instance tracker to version 10.12.0
[root@server yum.repos.d]# grep secret /etc/pki/pki-tomcat/server.xml
[root@server yum.repos.d]# grep requiredSecret /etc/pki/pki-tomcat/server.xml
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector1"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector2"/>
[root@server yum.repos.d]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@server yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: pki-core:10.6 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.