Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1512482

Summary: kra install fails after ipa cert renewed
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: amore, frenaud, ftweedal, lmiksik, nsoman, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Mohammad Rizwan 2017-11-13 10:27:38 UTC
Description of problem:
kra install fails after ipa cert renewed

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-22.el7_4.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa master
2. get expiration date from /root/ca-agent.p12
   - openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes
   - cat ca-agent.pem | openssl x509 -noout -enddate
    
3. move date forward to 20 days before ca-agent.p12 expires

4. wait for certs to be renewed (watch with getcert list)

5. move date to 3 days after ca-agent.p12 expired (i.e 3 days after date from step2).

6. ipa-kra-install

Actual results:


Expected results:
ipa kra install success

Additional info:
ipa kra install failed

Comment 4 Mohammad Rizwan 2017-11-13 10:50:34 UTC
console output :

Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/9]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpOgUGVY' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Comment 10 Rob Crittenden 2017-11-13 18:46:38 UTC
I'm not sure that the issue is with the ca-agent, it may be a red herring. The way to know for sure would be to do the same steps except for the last one: don't set time past the ca-agent expiration. Then try the KRA install then.

I see connection failures to 636 in the KRA debug log but it's hard to correlate by time to errors in the DS log. I see some TLS connections around the same time but no explicit failures. All sorts of stuff fails to install because of the failed connections to port 636.

Comment 11 Mohammad Rizwan 2017-11-14 09:40:49 UTC
I tried by not setting time past the ca-agent expiration and it got failed for same error on bot 7.4 and 7.3.

Comment 13 Florence Blanc-Renaud 2017-11-14 09:50:20 UTC
I reproduced the issue in 2 scenarios:
- the one described in this bug
- the one proposed by Rob, ie advancing time to renew the certs but staying in the validity period when launching ipa-kra-install.

This means that the ca-agent.p12 cert validity is probably not the issue. Looking into it further...

Comment 14 Fraser Tweedale 2017-11-15 00:44:16 UTC
There may be two issues here.  Ade and I are looking into it.

Comment 16 Petr Vobornik 2017-12-12 17:36:40 UTC
master:
    6a8c847 Don't use admin cert during KRA installation
ipa-4-6:
    ca571cf Don't use admin cert during KRA installation
ipa-4-5:
    64ebd36 Don't use admin cert during KRA installation

Comment 17 Florence Blanc-Renaud 2017-12-13 15:02:18 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7288

Comment 18 Florence Blanc-Renaud 2017-12-13 15:04:13 UTC
master:

    2546ef6 Prevent set_directive from clobbering other keys
    1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish
    c77f3a5 installutils: refactor set_directive
    f688b5d Add tests for installutils.set_directive
    f4001e1 Add safe DirectiveSetter context manager

ipa-4-6:

    fd316b9 Prevent set_directive from clobbering other keys
    7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish
    241b83d installutils: refactor set_directive
    808b143 Add tests for installutils.set_directive
    342a141 Add safe DirectiveSetter context manager

ipa-4-5:

    c60fcac Prevent set_directive from clobbering other keys
    929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish
    a1a5853 installutils: refactor set_directive
    d3af8f6 Add tests for installutils.set_directive
    a70ce13 Add safe DirectiveSetter context manager
    1b87101 Old pylint doesn't support bad python3 option

Comment 20 anuja 2017-12-19 11:27:52 UTC
Verified using IPA version::

ipa-server-4.5.4-7.el7.x86_64

Marking BZ as verified. Please see attachment for console log.

Comment 26 errata-xmlrpc 2018-04-10 16:48:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918

Comment 27 Florence Blanc-Renaud 2018-12-05 10:02:14 UTC
upstream test added:
master:
https://pagure.io/freeipa/c/b7ae9f7a3f577a61c97953da7e65d09349053380

Comment 28 Florence Blanc-Renaud 2018-12-06 10:34:42 UTC
upstream test added:
ipa-4-7:
https://pagure.io/freeipa/c/f3822726a630b77508801c00e59dfc1afaec549d