|Summary:||kra install fails after ipa cert renewed|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Mohammad Rizwan <myusuf>|
|Component:||ipa||Assignee:||IPA Maintainers <ipa-maint>|
|Status:||CLOSED ERRATA||QA Contact:||ipa-qe <ipa-qe>|
|Version:||7.4||CC:||amore, frenaud, ftweedal, lmiksik, nsoman, pasik, pvoborni, rcritten, tscherf|
|Fixed In Version:||ipa-4.5.4-7.el7||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-04-10 16:48:21 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Mohammad Rizwan 2017-11-13 10:27:38 UTC
Description of problem: kra install fails after ipa cert renewed Version-Release number of selected component (if applicable): ipa-server-4.5.0-22.el7_4.x86_64 How reproducible: always Steps to Reproduce: 1. Install ipa master 2. get expiration date from /root/ca-agent.p12 - openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes - cat ca-agent.pem | openssl x509 -noout -enddate 3. move date forward to 20 days before ca-agent.p12 expires 4. wait for certs to be renewed (watch with getcert list) 5. move date to 3 days after ca-agent.p12 expired (i.e 3 days after date from step2). 6. ipa-kra-install Actual results: Expected results: ipa kra install success Additional info: ipa kra install failed
Comment 4 Mohammad Rizwan 2017-11-13 10:50:34 UTC
console output : Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpOgUGVY' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
Comment 10 Rob Crittenden 2017-11-13 18:46:38 UTC
I'm not sure that the issue is with the ca-agent, it may be a red herring. The way to know for sure would be to do the same steps except for the last one: don't set time past the ca-agent expiration. Then try the KRA install then. I see connection failures to 636 in the KRA debug log but it's hard to correlate by time to errors in the DS log. I see some TLS connections around the same time but no explicit failures. All sorts of stuff fails to install because of the failed connections to port 636.
Comment 11 Mohammad Rizwan 2017-11-14 09:40:49 UTC
I tried by not setting time past the ca-agent expiration and it got failed for same error on bot 7.4 and 7.3.
Comment 13 Florence Blanc-Renaud 2017-11-14 09:50:20 UTC
I reproduced the issue in 2 scenarios: - the one described in this bug - the one proposed by Rob, ie advancing time to renew the certs but staying in the validity period when launching ipa-kra-install. This means that the ca-agent.p12 cert validity is probably not the issue. Looking into it further...
Comment 14 Fraser Tweedale 2017-11-15 00:44:16 UTC
There may be two issues here. Ade and I are looking into it.
Comment 16 Petr Vobornik 2017-12-12 17:36:40 UTC
master: 6a8c847 Don't use admin cert during KRA installation ipa-4-6: ca571cf Don't use admin cert during KRA installation ipa-4-5: 64ebd36 Don't use admin cert during KRA installation
Comment 17 Florence Blanc-Renaud 2017-12-13 15:02:18 UTC
Upstream ticket: https://pagure.io/freeipa/issue/7288
Comment 18 Florence Blanc-Renaud 2017-12-13 15:04:13 UTC
master: 2546ef6 Prevent set_directive from clobbering other keys 1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish c77f3a5 installutils: refactor set_directive f688b5d Add tests for installutils.set_directive f4001e1 Add safe DirectiveSetter context manager ipa-4-6: fd316b9 Prevent set_directive from clobbering other keys 7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish 241b83d installutils: refactor set_directive 808b143 Add tests for installutils.set_directive 342a141 Add safe DirectiveSetter context manager ipa-4-5: c60fcac Prevent set_directive from clobbering other keys 929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish a1a5853 installutils: refactor set_directive d3af8f6 Add tests for installutils.set_directive a70ce13 Add safe DirectiveSetter context manager 1b87101 Old pylint doesn't support bad python3 option
Comment 20 anuja 2017-12-19 11:27:52 UTC
Verified using IPA version:: ipa-server-4.5.4-7.el7.x86_64 Marking BZ as verified. Please see attachment for console log.
Comment 26 errata-xmlrpc 2018-04-10 16:48:21 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918
Comment 27 Florence Blanc-Renaud 2018-12-05 10:02:14 UTC
upstream test added: master: https://pagure.io/freeipa/c/b7ae9f7a3f577a61c97953da7e65d09349053380
Comment 28 Florence Blanc-Renaud 2018-12-06 10:34:42 UTC
upstream test added: ipa-4-7: https://pagure.io/freeipa/c/f3822726a630b77508801c00e59dfc1afaec549d