Bug 2006070 - Upgrades incorrectly add secret attribute to connectors
Summary: Upgrades incorrectly add secret attribute to connectors
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.5
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-20 19:53 UTC by Rob Crittenden
Modified: 2022-05-10 14:22 UTC (History)
11 users (show)

Fixed In Version: pki-core-10.6-8060020211115121442.7e0b02f6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 13:51:03 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCS-2600 0 None None None 2021-11-11 15:18:20 UTC
Red Hat Issue Tracker RHELPLAN-97678 0 None None None 2021-09-20 19:53:55 UTC
Red Hat Product Errata RHSA-2022:1851 0 None None None 2022-05-10 13:51:29 UTC

Description Rob Crittenden 2021-09-20 19:53:10 UTC
Description of problem:

tomcat 9.0.31.0 changed a connector attribute name from requiredSecret to secret. See https://tomcat.apache.org/connectors-doc/reference/workers.html

PKI unconditionally adds a new "secret" attribute to the connectors in server.xml regardless of version. I don't know what is adding it but it appears immediately after IPA installation is complete.

It looks like:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector1" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" secret="2Xtgn097JIuohy3TUEwzBG2FAPdss53o3bA8dZ7xrG54" name="Connector2" requiredSecret="1FwAWAHDSQ040Mf7Iy1y2JhXASsBMWecFHwn933HpWoX"/>

Some users of CentOS Stream 8 have reported authentication issues with the CA. They reported that removing the secret value and ensuring that requiredSecret matches the IPA configuration their CA works again.

For IPA the secret value need to match with the Apache configuration in /etc/ipa/ipa-pki-proxy.conf.

I haven't been able to reproduce in RHEL. Still, it is probably not valid to have both of these values set at the same time (and they appear to have differing secrets which I don't know is good or bad).

Not sure if this is related but there appears to have been an error in refactoring of commit https://github.com/dogtagpki/pki/commit/e70373ab131aba810f318c1d917896392b49ff4b

The version conditional was lost. The requiredSecret -> secret conversion should not be done in versions lower than 9.0.31.0.

Version-Release number of selected component (if applicable):

pki-server-10.11.0-2.module+el8.5.0+12220+9cc212a8.noarch
ipa-server-4.9.6-4.module+el8.5.0+11912+1b4496cf.x86_64

Steps to Reproduce:
1. ipa-server-install <options>
2. pki-server upgrade
3. grep secret /etc/pki/pki-tomcat/server.xml

Comment 2 Endi Sukma Dewata 2021-10-01 16:42:59 UTC
Does CentOS Stream 8 work like RHEL 8? We only test against RHEL 8, and in RHEL 8 we assume there is only one Tomcat version per PKI version, so the version check was not necessary.

Instead of restoring the version check and having to support multiple Tomcat versions, can we simply require tomcat >= 9.0.31 and drop the requiredSecret?

Also note that the above commit doesn't change the upgrade behavior, i.e. replacing requiredSecret with secret, so I'm not sure how it ends up with both. Does IPA modify any of these attributes in server.xml?

Comment 3 Rob Crittenden 2021-10-01 18:18:12 UTC
I guess as long as that version of tomcat is available it's fine to set it as the minimum.

IPA also upgrades these settings in https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L351 and it needs to keep the secrets in sync with its proxy configuration otherwise most CA requests fail with a 403.

I wasn't able to reproduce the behavior but at least three freeIPA users reported that they had both values set, with different secrets. IPA tries to honor existing secrets so its very possible it got confused by seeing both values, but like I said, I tried that and it worked for me.

Comment 7 Endi Sukma Dewata 2021-11-04 17:19:58 UTC
Fixed in v10.12 branch (PKI 10.12):
https://github.com/dogtagpki/pki/commit/b8e81c9f274feb800b8ccbd12480d62b88663fe1

Fixed in master branch (PKI 11.1):
https://github.com/dogtagpki/pki/commit/8e8b9a920055b35c1e7e577ac212084a41acb12a

Comment 16 Sudhir Menon 2022-01-17 14:06:23 UTC
Marking the bugzilla verified using 

ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64.rpm
pki-ca-10.12.0-0.1.module+el8.6.0+13291+248751b1.noarch

[root@server yum.repos.d]# pki-server upgrade --verbose
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Upgrading PKI server pki-tomcat
INFO: Setting pki-tomcat instance tracker to version 10.12.0

[root@server yum.repos.d]# grep secret /etc/pki/pki-tomcat/server.xml
[root@server yum.repos.d]# grep requiredSecret /etc/pki/pki-tomcat/server.xml
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector1"/>
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" requiredSecret="0Yl54vh2WQ04lJ9SVObvdPrcm7nnrF2NOmJChVK7nuPA" name="Connector2"/>

[root@server yum.repos.d]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

[root@server yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Comment 18 errata-xmlrpc 2022-05-10 13:51:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1851


Note You need to log in before you can comment on or make changes to this bug.