Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512482 - kra install fails after ipa cert renewed
Summary: kra install fails after ipa cert renewed
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-13 10:27 UTC by Mohammad Rizwan
Modified: 2018-12-06 10:34 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.4-7.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-10 16:48:21 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:49:12 UTC

Description Mohammad Rizwan 2017-11-13 10:27:38 UTC
Description of problem:
kra install fails after ipa cert renewed

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install ipa master
2. get expiration date from /root/ca-agent.p12
   - openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes
   - cat ca-agent.pem | openssl x509 -noout -enddate
3. move date forward to 20 days before ca-agent.p12 expires

4. wait for certs to be renewed (watch with getcert list)

5. move date to 3 days after ca-agent.p12 expired (i.e 3 days after date from step2).

6. ipa-kra-install

Actual results:

Expected results:
ipa kra install success

Additional info:
ipa kra install failed

Comment 4 Mohammad Rizwan 2017-11-13 10:50:34 UTC
console output :

Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/9]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpOgUGVY' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

Comment 10 Rob Crittenden 2017-11-13 18:46:38 UTC
I'm not sure that the issue is with the ca-agent, it may be a red herring. The way to know for sure would be to do the same steps except for the last one: don't set time past the ca-agent expiration. Then try the KRA install then.

I see connection failures to 636 in the KRA debug log but it's hard to correlate by time to errors in the DS log. I see some TLS connections around the same time but no explicit failures. All sorts of stuff fails to install because of the failed connections to port 636.

Comment 11 Mohammad Rizwan 2017-11-14 09:40:49 UTC
I tried by not setting time past the ca-agent expiration and it got failed for same error on bot 7.4 and 7.3.

Comment 13 Florence Blanc-Renaud 2017-11-14 09:50:20 UTC
I reproduced the issue in 2 scenarios:
- the one described in this bug
- the one proposed by Rob, ie advancing time to renew the certs but staying in the validity period when launching ipa-kra-install.

This means that the ca-agent.p12 cert validity is probably not the issue. Looking into it further...

Comment 14 Fraser Tweedale 2017-11-15 00:44:16 UTC
There may be two issues here.  Ade and I are looking into it.

Comment 16 Petr Vobornik 2017-12-12 17:36:40 UTC
    6a8c847 Don't use admin cert during KRA installation
    ca571cf Don't use admin cert during KRA installation
    64ebd36 Don't use admin cert during KRA installation

Comment 17 Florence Blanc-Renaud 2017-12-13 15:02:18 UTC
Upstream ticket:

Comment 18 Florence Blanc-Renaud 2017-12-13 15:04:13 UTC

    2546ef6 Prevent set_directive from clobbering other keys
    1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish
    c77f3a5 installutils: refactor set_directive
    f688b5d Add tests for installutils.set_directive
    f4001e1 Add safe DirectiveSetter context manager


    fd316b9 Prevent set_directive from clobbering other keys
    7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish
    241b83d installutils: refactor set_directive
    808b143 Add tests for installutils.set_directive
    342a141 Add safe DirectiveSetter context manager


    c60fcac Prevent set_directive from clobbering other keys
    929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish
    a1a5853 installutils: refactor set_directive
    d3af8f6 Add tests for installutils.set_directive
    a70ce13 Add safe DirectiveSetter context manager
    1b87101 Old pylint doesn't support bad python3 option

Comment 20 anuja 2017-12-19 11:27:52 UTC
Verified using IPA version::


Marking BZ as verified. Please see attachment for console log.

Comment 26 errata-xmlrpc 2018-04-10 16:48:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 27 Florence Blanc-Renaud 2018-12-05 10:02:14 UTC
upstream test added:

Comment 28 Florence Blanc-Renaud 2018-12-06 10:34:42 UTC
upstream test added:

Note You need to log in before you can comment on or make changes to this bug.