Bug 975431 - IPA PKI cannot publish CRL after upgrade
IPA PKI cannot publish CRL after upgrade
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Tomas Babej
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-18 09:07 EDT by Dmitri Pal
Modified: 2013-11-21 15:53 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-3.0.0-31.el6
Doc Type: Bug Fix
Doc Text:
Cause: The directory where Identity Management PKI publishes CRL exports (/var/lib/ipa/pki-ca/publish/) got incorrect ownership and permissions after ipa-server package reinstallation or upgrade. Consequence: PKI was not able to update CRL in this directory until the ownership and permissions of the directory were manually amended. Fix: IdM installer and upgrade script were fixed to handle the ownership and permission of the directory correctly. Result: IdM PKI can publish CRL exports after ipa-server package reinstall or upgrade.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 15:53:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-18 09:07:10 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3727

The directory where IPA PKI publishes CRL (`/var/lib/ipa/pki-ca/publish/`) gets wrong ownership after freeipa-server package reinstall which leads to PKI not being able to update CRL in this directory:

{{{
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 .     <<< owned by pkiuser group
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

}}}

/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:

{{{
# yum reinstall freeipa-server
...
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root    root    12288 May 17 04:49 .     <<< owned by root
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der
}}}

PKI then logs errors like these:
{{{
/var/log/pki-ca/system
...
1585.CRLIssuingPoint-MasterCRL - [13/Jun/2013:21:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130613-210000.temp (Permission denied)
1585.CRLIssuingPoint-MasterCRL - [14/Jun/2013:01:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130614-010000.temp (Permission denied)
}}}
Comment 1 Alexander Bokovoy 2013-07-01 05:06:32 EDT
Re-assign to Tomas Babej.
Comment 3 Martin Kosek 2013-07-16 06:35:45 EDT
Fixed upstream:

master:
7a105604e265222cf6f96b0ac060d4f1b2504b6c Change group ownership of CRL publish directory
ipa-3-2:
1a5daf0dcfeeec26a3869bf7d278b93f9716163d Change group ownership of CRL publish directory
Comment 5 Scott Poore 2013-09-05 15:44:42 EDT
Verified.

Version ::

ipa-server-3.0.0-34.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Checking ipa_upgrade_bz975431 -  IPA PKI cannot publish CRL after upgrade
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

drwxrwxr-x. 2 root pkiuser 4096 Sep  5 14:11 /var/lib/ipa/pki-ca/publish
:: [   PASS   ] :: Running 'ls -ld /var/lib/ipa/pki-ca/publish' (Expected 0, got 0)
:: [   PASS   ] :: BZ 975431 not found
Comment 7 errata-xmlrpc 2013-11-21 15:53:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.