2274188 – With IPA, backup-restore using LMDB backend breaks CA functionality

Bug 2274188 - With IPA, backup-restore using LMDB backend breaks CA functionality

Summary: With IPA, backup-restore using LMDB backend breaks CA functionality

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	389-ds-base
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	thierry bordaz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-09 15:46 UTC by Florence Blanc-Renaud
Modified:	2024-04-23 16:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:	389-ds-base-3.0.2-1.fc40
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-04-23 16:41:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	IDMDS-4305	0	None	None	None	2024-04-10 07:22:22 UTC

Description Florence Blanc-Renaud 2024-04-09 15:46:41 UTC

On Fedora 40, doing ipa-backup / uninstall server / ipa-restore breaks the CA functionality.

The issue happens with 389-ds-base-3.0.1-2.fc40.x86_64.
After backup/restore, we noted multiple issues:
- running "ipa cert-find" on the server does not return any entry although 10 certs were returned before ipa-backup
- the installation of a replica with a CA instance fails

Reproducible: Always

Steps to Reproduce:
0. Enable the nightly builds of IPA with dnf copr enable @freeipa/freeipa-master-nightly
1. Install ipa server with ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
2. Backup with ipa-backup
3. Uninstall the server
4. Restore with ipa-restore /path/to/full/backup
5. Run "ipa cert-find" on the server: no entry is returned while 10 values are expected
6. Install a replica with ipa-replica-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --setup-ca --server server.ipa.test -U
The replica installation fails in the step asking for a TLS certificate to the server
Actual Results:
On the server:
# ipa cert-find
----------------------
0 certificates matched
----------------------
----------------------------
Number of entries returned 0
----------------------------

On the replica:
# ipa-replica-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --setup-ca --server server.ipa.test -U
Configuring client side components
[...]
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://server.ipa.test/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Request 1 - Server Internal Error).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Certificate issuance failed (CA_UNREACHABLE: Server at https://server.ipa.test/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Request 1 - Server Internal Error).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected Results:
On the server:
# ipa cert-find
-----------------------
10 certificates matched
-----------------------

On the replica:
successful installation

Some fixes are already available in 389-ds-base master branch and fix 1 out of the 2 issues.

If we install 389-ds-base from the copr repo @389ds/389-ds-base-nightly that contains a nightly build from the master branch (for instance 389-ds-base-3.0.1-202404051007gitcc3a86409.fc39.x86_64):
- the ipa cert-find command correctly returns the certificates that were present before the backup/restore procedure.
- the replica installation is able to go a bit further and fails only in the CA clone setup (this means that we are able to install a replica without CA service).
We would like 389-ds-base to release a new version with the fixes from the master branch.

See also: https://pagure.io/freeipa/issue/9523

Comment 3 Florence Blanc-Renaud 2024-04-16 10:18:01 UTC

With the latest version from the copr repo @389ds/389-ds-base-nightly, all the backup-restore issues have been fixed:
389-ds-base-3.0.1-202404121019git55529d185

Comment 4 Fedora Blocker Bugs Application 2024-04-16 10:20:44 UTC

Proposed as a Freeze Exception for 40-final by Fedora user abbra using the blocker tracking app because:

 389-ds has migrated to LMDB backend for its databases to make it possible to remove libdb from Fedora. During the development of this backend few issues were found in complex FreeIPA server scenarios. They are addressed now in 389-ds 3.0.2 release which needs to be added to Fedora 40.

Several issues specifically address backup/restore functionality of FreeIPA which will likely be used by administrators during/after upgrade to Fedora 40 with 389-ds using LMDB backend already.

FreeIPA upstream comprehensive CI testing is green with the changes in 389-ds 3.0.2.

Comment 5 Fedora Update System 2024-04-16 10:22:57 UTC

FEDORA-2024-eca2c959b1 (389-ds-base-3.0.2-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-eca2c959b1

Comment 6 Adam Williamson 2024-04-18 19:40:13 UTC

We signed off RC-1.14 for release today, which was built before this was proposed, so it never really made sense to vote on it. Sorry about that.

Comment 7 Fedora Update System 2024-04-23 16:41:29 UTC

FEDORA-2024-eca2c959b1 (389-ds-base-3.0.2-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.