Issue #2624: Upgrading to latest IPA and pki(dogtag) breaks IPA system - dogtagpki

dogtagpki

#2624 Upgrading to latest IPA and pki(dogtag) breaks IPA system

Closed: duplicate 6 years ago Opened 7 years ago by mharmsen.

After upgrading to latest packages of ipaserver and pki-core/dogtag ipaserver
doesn't start anymore and hangs at: pki-tomcatd

The system was working before and I install updates as soon as they are
available. The problem is since the latest update on 01/19/2017.

After some time it gets a timeout:

[root@ipaserver ~]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that
a non-critical service failed
Aborting ipactl

The Log /var/log/pki/pki-tomcat/ca/selftest.log:

0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1] CAPresence: CA
is present
0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1]
SystemCertsVerification: system certs verification failure: Certificate
auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8101)
Certificate type not approved for application.
0.localhost-startStop-1 - [19/Jan/2017:10:17:21 MEZ] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!

This is the ONLY log for selftest.log directly after the upgrade of the server.
No further Logs in selftest.log (?!). It seems that I doesn't reach this point
anymore.

Here's the output for the certificates:

root@ipaserver pki-tomcat]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,cu,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u

If I try to change the settings for auditSigningCert with:

certutil -M -d /var/lib/pki/pki-tomcat/ca/alias/ -n "auditSigningCert
cert-pki-ca" -t "u,u,Pu"

The new permissions are set but "ipactl start" breaks with the same error.

How reproducible:

I'm not sure. Maybe Upgrading to latest ipaserver or pki/dogtag or maybe there
was a broken ipa-cacert-manage renew?

Additional info:

Maybe this bug is also related to
https://bugzilla.redhat.com/show_bug.cgi?id=1390319

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1415852

7 years ago

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1415852

7 years ago

Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to IPA
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: major

7 years ago

mharmsen commented 6 years ago

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

Metadata Update from @mharmsen:
- Issue set to the milestone: FUTURE (was: 10.4)

6 years ago

mharmsen commented 6 years ago

Petr Vobornik 2017-09-20 04:42:42 EDT

I think this issue can be closed.

Ideal solution would be if Dogtag could do a verification of input without doing an actual installation. So that IPA can run this validation in validation step of IPA installer and not in CA installation step where part of the server is already configured. There is a Dogtag RFE, I believe it is called --dry-run to implement this.

CLOSING issue as DUPLICATE of "Pagure Issue #1727 - Validate input in pkispawn, add dry run option".

Metadata Update from @mharmsen:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.0 (was: FUTURE)

6 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2744

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.5.0

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1415852

type

defect

version

keywords

None

estimate

None

feature

origin

IPA

proposedpriority

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

component

General

proposedmilestone

dogtagpki

Source Code

#2624 Upgrading to latest IPA and pki(dogtag) breaks IPA system Closed: duplicate 6 years ago Opened 7 years ago by mharmsen.

Metadata

#2624 Upgrading to latest IPA and pki(dogtag) breaks IPA system

Closed: duplicate 6 years ago Opened 7 years ago by mharmsen.