URL: https://github.com/freeipa/freeipa/pull/1689 Author: flo-renaud Title: #1689: ipa-replica-install: make sure that certmonger picks the right master Action: opened
PR body: """ During ipa-replica-install, http installation first creates a service principal for http/hostname (locally on the soon-to-be-replica), then waits for this entry to be replicated on the master picked for the install. In a later step, the installer requests a certificate for HTTPd. The local certmonger first tries the master defined in xmlrpc_uri (which is pointing to the soon-to-be-replica), but fails because the service is not up yet. Then certmonger tries to find a master by using the DNS and looking for a ldap service. This step can pick a different master, where the principal entry has not always be replicated yet. As the certificate request adds the principal if it does not exist, we can end by re-creating the principal and have a replication conflict. The replication conflict later causes kerberos issues, preventing from installing a new replica. The proposed fix forces xmlrpc_uri to point to the same master as the one picked for the installation, in order to make sure that the master already contains the principal entry. https://pagure.io/freeipa/issue/7041 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1689/head:pr1689 git checkout pr1689
From 215eee7485eb8b131a210777bccef235d28d7c47 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 14 Mar 2018 16:13:17 +0100 Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the right master During ipa-replica-install, http installation first creates a service principal for http/hostname (locally on the soon-to-be-replica), then waits for this entry to be replicated on the master picked for the install. In a later step, the installer requests a certificate for HTTPd. The local certmonger first tries the master defined in xmlrpc_uri (which is pointing to the soon-to-be-replica), but fails because the service is not up yet. Then certmonger tries to find a master by using the DNS and looking for a ldap service. This step can pick a different master, where the principal entry has not always be replicated yet. As the certificate request adds the principal if it does not exist, we can end by re-creating the principal and have a replication conflict. The replication conflict later causes kerberos issues, preventing from installing a new replica. The proposed fix forces xmlrpc_uri to point to the same master as the one picked for the installation, in order to make sure that the master already contains the principal entry. https://pagure.io/freeipa/issue/7041 --- ipaserver/install/server/replicainstall.py | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 947545ec9f..5efe068edb 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -247,6 +247,24 @@ def create_ipa_conf(fstore, config, ca_enabled): os.chmod(target_fname, 0o644) +def modify_xmlrpcuri_in_ipa_conf(master): + ipaconf = IPAChangeConf("IPA Replica Install") + ipaconf.setOptionAssignment(" = ") + ipaconf.setSectionNameDelimiters(("[", "]")) + + xmlrpc_uri = 'https://{0}/ipa/xml'.format( + ipautil.format_netloc(master)) + # [global] section + gopts = [ + ipaconf.setOption('xmlrpc_uri', xmlrpc_uri), + ] + opts = [ + ipaconf.setSection('global', gopts), + {'name': 'empty', 'type': 'empty'} + ] + ipaconf.changeConf(paths.IPA_DEFAULT_CONF, opts) + + def check_dirsrv(): (ds_unsecure, ds_secure) = dsinstance.check_ports() if not ds_unsecure or not ds_secure: @@ -1429,6 +1447,24 @@ def install(installer): # we now need to enable ssl on the ds ds.enable_ssl() + if promote: + # We need to point to the master when certmonger asks for + # HTTP certificate. + # During http installation, the HTTP/hostname principal is created + # locally then the installer waits for the entry to appear on the + # master selected for the installation. + # In a later step, the installer requests a SSL certificate through + # Certmonger (and the op adds the principal if it does not exist yet). + # If xmlrpc_uri points to the soon-to-be replica, + # the httpd service is not ready yet to handle certmonger requests + # and certmonger tries to find another master. The master can be + # different from the one selected for the installation, and it is + # possible that the principal has not been replicated yet. This + # may lead to a replication conflict. + # This is why we need to force the use of the same master by + # setting xmlrpc_uri + modify_xmlrpcuri_in_ipa_conf(master=config.master_host_name) + install_http( config, auto_redirect=not options.no_ui_redirect, @@ -1437,6 +1473,10 @@ def install(installer): ca_is_configured=ca_enabled, ca_file=cafile) + if promote: + # Need to point back to ourself after the cert for HTTP is obtained + modify_xmlrpcuri_in_ipa_conf(master=config.host_name) + otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name))
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org