Dogtag's configuration file might become corrupted during IPA upgrade.
When IPA is upgraded, it will execute the following command:
%posttrans server ... /usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
The ipa-upgradeconfig calls ipa-setup-proxy:
ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
The ipa-setup-proxy makes a modification to the CS.cfg:
my $cs_cfg = "${pki_instance_conf_path}/CS.cfg"; my $data = read_file $cs_cfg; $data =~ s/proxy.securePort=[\d]*\n//g; $data =~ s/proxy.unsecurePort=[\d]*\n//g; chomp($data); $data .= "\nproxy.securePort=$proxy_secure_port" . "\nproxy.unsecurePort=$proxy_unsecure_port\n"; # backup old file copy_file($cs_cfg, $cs_cfg . ".pre-proxy.$$", $default_file_permissions, $pki_user, $pki_group); write_file($cs_cfg, $data);
If this happens while Dogtag is running, the CS.cfg might become corrupted because Dogtag might also be modifying the file. The IPA upgrade script should make sure that Dogtag is stopped while performing this modification.
Although the ipa-setup-proxy creates a backup, it has been shown that the backup can become corrupted as well.
Related ticket:
attachment freeipa-dkupka-0019-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
attachment freeipa-dkupka-0019-2-ipa4x-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
attachment freeipa-dkupka-0019-2-master-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
attachment freeipa-dkupka-0019-3-ipa40-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
attachment freeipa-dkupka-0019-3-ipa41-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
attachment freeipa-dkupka-0019-3-master-Stop-dogtag-when-updating-its-configuration-in-ipa-u.patch
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @edewata: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.0.4
Login to comment on this ticket.