freeipa

Clone
Source Code
GIT

0f31564 ipa-replica-install: make sure that certmonger picks the right master

Authored and Committed by frenaud 6 years ago
raw patch tree parent
1 file changed. 39 lines added. 3 lines removed.
ipaserver/install/server/replicainstall.py
file modified
+39 -3 
    ipa-replica-install: make sure that certmonger picks the right master
    
    During ipa-replica-install, http installation first creates a service
    principal for http/hostname (locally on the soon-to-be-replica), then
    waits for this entry to be replicated on the master picked for the
    install.
    In a later step, the installer requests a certificate for HTTPd. The local
    certmonger first tries the master defined in xmlrpc_uri (which is
    pointing to the soon-to-be-replica), but fails because the service is not
    up yet. Then certmonger tries to find a master by using the DNS and looking
    for a ldap service. This step can pick a different master, where the
    principal entry has not always be replicated yet.
    As the certificate request adds the principal if it does not exist, we can
    end by re-creating the principal and have a replication conflict.
    
    The replication conflict later causes kerberos issues, preventing
    from installing a new replica.
    
    The proposed fix forces xmlrpc_uri to point to the same master as the one
    picked for the installation, in order to make sure that the master already
    contains the principal entry.
    
    https://pagure.io/freeipa/issue/7041
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+39 -3
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.