Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2092015
<Continuation of the issue> https://bugzilla.redhat.com/show_bug.cgi?id=2029023 - this bug tracks the issue with attribute name for pki-tomcat (secret changed to sharedSecret),
https://bugzilla.redhat.com/show_bug.cgi?id=2061458 - this bug fixes the config if old secret is present in /etc/pki/pki-tomcat/server.xml
Now, as we can see in https://github.com/dogtagpki/pki/commit/bbdb82268026821cd6a00edae09cc30079effd30#diff-d448de858fda07d3c3395089190c9259e97541e42204ef3bce21945e4d7d5e61R880
if the correct attributes are in place, their value is not checked. But since it's a new attribute on PKI side, it usually has got different value.
We discussed this issue with Endi Dewata, and, as ipa-pki-proxy.conf is in IPA's responsibility, it's probably a good idea to keep track of modifying it on IPA's team's side.
Version-Release number of selected component (if applicable): Verified on 8.5, ipa-server-4.9.6-12.module+el8.5.0+14525+2137cc8f.x86_64 pki-server-10.11.2-5.module+el8.5.0+14437+bc030dcc.noarch
How reproducible: should every time when sharedSecret is added into /etc/pki/pki-tomcat/server.xml
Steps to Reproduce: 1. 2. 3.
Actual results: [wsgi:error] [pid 1884012:tid 139838145005312] [remote 172.22.154.43:34178] ipa: ERROR: ra.find(): Unable to communicate with CMS (403)
Expected results: httpd can communicate with CA correctly
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2092015
Metadata Update from @rcritten: - Issue assigned to rcritten
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.