Bug 975431 - IPA PKI cannot publish CRL after upgrade
Summary: IPA PKI cannot publish CRL after upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Babej
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-18 13:07 UTC by Dmitri Pal
Modified: 2013-11-21 20:53 UTC (History)
4 users (show)

Fixed In Version: ipa-3.0.0-31.el6
Doc Type: Bug Fix
Doc Text:
Cause: The directory where Identity Management PKI publishes CRL exports (/var/lib/ipa/pki-ca/publish/) got incorrect ownership and permissions after ipa-server package reinstallation or upgrade. Consequence: PKI was not able to update CRL in this directory until the ownership and permissions of the directory were manually amended. Fix: IdM installer and upgrade script were fixed to handle the ownership and permission of the directory correctly. Result: IdM PKI can publish CRL exports after ipa-server package reinstall or upgrade.
Clone Of:
Environment:
Last Closed: 2013-11-21 20:53:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1651 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2013-11-21 00:39:40 UTC

Description Dmitri Pal 2013-06-18 13:07:10 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3727

The directory where IPA PKI publishes CRL (`/var/lib/ipa/pki-ca/publish/`) gets wrong ownership after freeipa-server package reinstall which leads to PKI not being able to update CRL in this directory:

{{{
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 .     <<< owned by pkiuser group
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

}}}

/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:

{{{
# yum reinstall freeipa-server
...
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root    root    12288 May 17 04:49 .     <<< owned by root
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der
}}}

PKI then logs errors like these:
{{{
/var/log/pki-ca/system
...
1585.CRLIssuingPoint-MasterCRL - [13/Jun/2013:21:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130613-210000.temp (Permission denied)
1585.CRLIssuingPoint-MasterCRL - [14/Jun/2013:01:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130614-010000.temp (Permission denied)
}}}

Comment 1 Alexander Bokovoy 2013-07-01 09:06:32 UTC
Re-assign to Tomas Babej.

Comment 3 Martin Kosek 2013-07-16 10:35:45 UTC
Fixed upstream:

master:
7a105604e265222cf6f96b0ac060d4f1b2504b6c Change group ownership of CRL publish directory
ipa-3-2:
1a5daf0dcfeeec26a3869bf7d278b93f9716163d Change group ownership of CRL publish directory

Comment 5 Scott Poore 2013-09-05 19:44:42 UTC
Verified.

Version ::

ipa-server-3.0.0-34.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Checking ipa_upgrade_bz975431 -  IPA PKI cannot publish CRL after upgrade
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

drwxrwxr-x. 2 root pkiuser 4096 Sep  5 14:11 /var/lib/ipa/pki-ca/publish
:: [   PASS   ] :: Running 'ls -ld /var/lib/ipa/pki-ca/publish' (Expected 0, got 0)
:: [   PASS   ] :: BZ 975431 not found

Comment 7 errata-xmlrpc 2013-11-21 20:53:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html


Note You need to log in before you can comment on or make changes to this bug.