freeipa

Clone
Source Code
GIT

#3727 IPA PKI cannot publish CRL after upgrade
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

The directory where IPA PKI publishes CRL (/var/lib/ipa/pki-ca/publish/) gets wrong ownership after freeipa-server package reinstall which leads to PKI not being able to update CRL in this directory:

# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 .     <<< owned by pkiuser group
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:

# yum reinstall freeipa-server
...
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root    root    12288 May 17 04:49 .     <<< owned by root
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

PKI then logs errors like these:

/var/log/pki-ca/system
...
1585.CRLIssuingPoint-MasterCRL - [13/Jun/2013:21:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130613-210000.temp (Permission denied)
1585.CRLIssuingPoint-MasterCRL - [14/Jun/2013:01:00:00 EDT] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20130614-010000.temp (Permission denied)

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=975431

Seems like ticket is in the wrong bucket.

Replying to [comment:5 dpal]:

Seems like ticket is in the wrong bucket.

It shouldn't be - this is intended to be fixed in FreeIPA 3.2.2 bugfixing release.

master:[[BR]]
7a10560 Change group ownership of CRL publish directory[[BR]]

ipa-3-2:[[BR]]
1a5daf0 Change group ownership of CRL publish directory[[BR]]

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.2.x - 2013/07 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Upgrade
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=975431
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.