Issue #6375: ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0 - freeipa

freeipa

#6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0

Closed: Fixed None Opened 7 years ago by frenaud.

ipa-replica-install fails when using a replica file created on a domain-level 0 master upgraded from ca-less to ca-full.

Steps to reproduce:
1/ install FreeIPA server on the CA-less master with options

ipa-server-install --setup-dns \
  --auto-forwarders \
  --auto-reverse \
  -n $DOMAIN \
  -r $REALM \
  -p $PASSWORD -a $PASSWORD \
  --dirsrv-cert-file=$NSSDB/ca1/server.p12 \
  --dirsrv-pin=$PASSWORD \
  --http-cert-file=$NSSDB/ca1/server.p12 \
  --http-pin=$PASSWORD \
  --domain-level 0 \
  -U

2/ upgrade the master from ca-less to ca-full:

ipa-ca-install

3/ prepare a replica file:

ipa-replica-prepare $REPLICA_FQDN

4/ install FreeIPA server on the replica:

ipa-replica-install $PATH_TO_GPG_FILE

The installation fails with

WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password:

ipa         : ERROR    Could not find a CA cert in /tmp/tmpOT9yK7ipa/realm_info/dscert.p12
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Server cert is not valid. Please run ipa-replica-prepare to create a new replica file.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

The issue happens when validating the certificate chain. The installer creates a temporary nss db with the content of gpg file/realm_info/dscert.p12 and gpg file/realminfo/ca.crt, but ca.crt does not contain IPA CA (it contains only the external CA used during ca-less installation).

The fix should make sure that the ca.crt file used inside the gpg file contains all the required certificates.

frenaud commented 7 years ago

A possible fix would be to create the gpg file with a ca.crt built from the list of CA certificates stored in LDAP instead of simply copying /etc/ipa/ca.crt.
The list of CA certs is available in cn=certificates,cn=ipa,cn=etc,$BASEDN

pvoborni commented 7 years ago

is there a workaround?

Does running ipa-cert-install after ipa-ca-install help?

frenaud commented 7 years ago

The workaround is to run ipa-certupdate after ipa-ca-install. This step will update /etc/ipa/ca.crt with the LDAP certificates (including the new IPA CA).
A bz has been opened to track this doc issue (See 1381213)

mbasti commented 7 years ago

master:

044d887 Fix ipa-replica-install when upgrade from ca-less to ca-full

Metadata Update from @frenaud:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata

Assignee

frenaud

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Installation

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/222

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0 Closed: Fixed None Opened 7 years ago by frenaud.

Metadata

#6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0

Closed: Fixed None Opened 7 years ago by frenaud.