[Freeipa-users] Re: Unable to communicate with CMS (403)

Sam Morris via FreeIPA-users Thu, 16 Dec 2021 15:41:44 -0800

> The CA has its own upgrade code which runs unconditionally and I think
> that's how both secret and requiredSecret got added to server.xml. I
> wasn't able to duplicate the 403 though, it always just worked for me.
> Perhaps it has to go through more than one upgrade cycle. I did my
> testing on RHEL 8.
> 
> I filed https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against
> pki-core.


I think I just ran into this, or a related issue, when upgrading today on two 
RHEL 8 machines.

According to etckeeper (great tool!):

    Package changes:
    -0:ipa-client-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
    -0:ipa-client-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    -0:ipa-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    +0:ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
    +0:ipa-client-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    +0:ipa-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    -0:ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
    -0:ipa-server-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    -0:ipa-server-dns-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    +0:ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
    +0:ipa-server-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    +0:ipa-server-dns-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    -0:python3-ipaclient-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    -0:python3-ipalib-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    -0:python3-ipaserver-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
    +0:python3-ipaclient-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    +0:python3-ipalib-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
    +0:python3-ipaserver-4.9.6-10.module+el8.5.0+13587+92118e57.noarch

Upgrading the above *added* requiredSecret="newSecret" to the AJP Connector 
elements within /etc/pki/pki-tomcat/server.xml.

The existing secret="oldSecret" attribute was not changed. Neither was 
"secret=oldSecret" changed in the ProxyPassMatch directives in 
/etc/httpd/conf.d/ipa-pki-proxy.conf.

It looks like tomcat uses the value of requiredSecret= in preference to secret= 
if both are supplied.

The fix was to remove requiredSecret="newSecret" from the tomcat config file & 
restart pki-tomcatd@pki-tomcat.

But that bugzilla is about migrating from requiredSecret="oldSecret" -> 
secret="oldSecret". So I'm not sure I've hit that bug exactly...

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Unable to communicate with CMS (403)

Reply via email to