FreeIPA configured with CA on the master and no CA on the replica. If I renew the IPA RA agent on the master, then try to renew the same on the replica, the operation fails on the replica:
Request ID '20170324090012': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://replica.example.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2019-03-14 08:53:32 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Note that the agent tries to contact Dogtag on the replica but Dogtag is only installed on the server. The agent should rather try to download the certificate from LDAP.
The issue happens because of a bug in /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit, where the code checks if the certificate is replicated in order to either request renewal or download the renewed cert:
def is_replicated(): return not get_nickname()
The code should do the opposite: ie a cert is replicated if get_nickname() returns a name.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/652
master:
e934da0 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function ipa-4-5:
8f738f1 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
Metadata Update from @jcholast: - Issue tagged with: regression
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436724
Issue linked to bug 1436724
Log in to comment on this ticket.