Bug 750529 - Doc CS replication errors to avoid user from facing unexpected problems
Summary: Doc CS replication errors to avoid user from facing unexpected problems
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 750596 756082
TreeView+ depends on / blocked
 
Reported: 2011-11-01 13:52 UTC by Namita Soman
Modified: 2015-01-19 20:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 750596 (view as bug list)
Environment:
Last Closed: 2015-01-16 12:09:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Namita Soman 2011-11-01 13:52:48 UTC 
Description of problem:
After CS replication is removed, replica can see a new host is issued a cert, but doesn't have a copy of it, and throws a serial number error.

In response to a test case to do this, Rob's response:
I wonder if we should doc this. What is happening is the host is
replicating through a different channel, so we can see it. Because the
CS replication was removed we can see that the host has been issued a
valid certificate from our CA but our local install doesn't have a copy
of it, hence the serial # error.

This and a few others point out some pretty scary problems related to
certificate replication, this isn't something people should take lightly.

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-6.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1.Install master, replica
2.Install CS server on replica
3.Delete the replication agreement, and the data from replica
# ipa-csreplica-manage del ipa-replica1.testrelm -p XXX
4. Add a host, add cert to a host from master
5. Check settings for this host from replica
  
Actual results:
Error that host’s cert cannot be found:
Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x2d not found)

Expected results:
if this is doc'd, the user will know to check CS replication, and be prepared.

Additional info:
Comment 2 Dmitri Pal 2011-11-01 17:47:53 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2047
Comment 3 Rob Crittenden 2011-11-01 19:04:44 UTC 
Here is a clearer way than I explained earlier.

You have IPA server A and server B, both have a dogtag CA installed.

There is a replication agreement between A and B for user, group, host, etc.
data

There is also a replication agreement between A and B because they both have a
CA. This link shares the certificates issued between the two CAs.

If you break the dogtag replication agreement between the two they will still
share the other IPA data.

So if you issue a certificate for a host or service on host A then host B will
not know about that certificates by serial number. The reverse is true as well.
This is because there is no replication agreement between the CAs.
Comment 7 Martin Kosek 2015-01-16 12:09:52 UTC 
ipa-csreplica-manage and ipa-replica-manage already warn if last replication link is being created. I thus do not think this is no longer an issue.

Some of the fixes were done for example in
https://fedorahosted.org/freeipa/ticket/2858

I am thus closing thus bug.
Note You need to log in before you can comment on or make changes to this bug.