areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch

8558a7
From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001
8558a7
From: Florence Blanc-Renaud <flo@redhat.com>
8558a7
Date: Wed, 14 Mar 2018 16:13:17 +0100
8558a7
Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the
8558a7
 right master
8558a7
8558a7
During ipa-replica-install, http installation first creates a service
8558a7
principal for http/hostname (locally on the soon-to-be-replica), then
8558a7
waits for this entry to be replicated on the master picked for the
8558a7
install.
8558a7
In a later step, the installer requests a certificate for HTTPd. The local
8558a7
certmonger first tries the master defined in xmlrpc_uri (which is
8558a7
pointing to the soon-to-be-replica), but fails because the service is not
8558a7
up yet. Then certmonger tries to find a master by using the DNS and looking
8558a7
for a ldap service. This step can pick a different master, where the
8558a7
principal entry has not always be replicated yet.
8558a7
As the certificate request adds the principal if it does not exist, we can
8558a7
end by re-creating the principal and have a replication conflict.
8558a7
8558a7
The replication conflict later causes kerberos issues, preventing
8558a7
from installing a new replica.
8558a7
8558a7
The proposed fix forces xmlrpc_uri to point to the same master as the one
8558a7
picked for the installation, in order to make sure that the master already
8558a7
contains the principal entry.
8558a7
8558a7
https://pagure.io/freeipa/issue/7041
8558a7
8558a7
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
8558a7
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
8558a7
---
8558a7
 ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++---
8558a7
 1 file changed, 39 insertions(+), 3 deletions(-)
8558a7
8558a7
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
8558a7
index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644
8558a7
--- a/ipaserver/install/server/replicainstall.py
8558a7
+++ b/ipaserver/install/server/replicainstall.py
8558a7
@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api):
8558a7
                          'on master: %s', str(e))
8558a7
 
8558a7
 
8558a7
-def create_ipa_conf(fstore, config, ca_enabled):
8558a7
+def create_ipa_conf(fstore, config, ca_enabled, master=None):
8558a7
+    """
8558a7
+    Create /etc/ipa/default.conf master configuration
8558a7
+    :param fstore: sysrestore file store used for backup and restore of
8558a7
+                   the server configuration
8558a7
+    :param config: replica config
8558a7
+    :param ca_enabled: True if the topology includes a CA
8558a7
+    :param master: if set, the xmlrpc_uri parameter will use the provided
8558a7
+                   master instead of this host
8558a7
+    """
8558a7
     # Save client file on Domain Level 1
8558a7
     target_fname = paths.IPA_DEFAULT_CONF
8558a7
     fstore.backup_file(target_fname)
8558a7
@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled):
8558a7
     ipaconf.setOptionAssignment(" = ")
8558a7
     ipaconf.setSectionNameDelimiters(("[", "]"))
8558a7
 
8558a7
-    xmlrpc_uri = 'https://{0}/ipa/xml'.format(
8558a7
-                    ipautil.format_netloc(config.host_name))
8558a7
+    if master:
8558a7
+        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
8558a7
+            ipautil.format_netloc(master))
8558a7
+    else:
8558a7
+        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
8558a7
+                        ipautil.format_netloc(config.host_name))
8558a7
     ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format(
8558a7
                     installutils.realm_to_serverid(config.realm_name))
8558a7
 
8558a7
@@ -1431,6 +1444,25 @@ def install(installer):
8558a7
     # we now need to enable ssl on the ds
8558a7
     ds.enable_ssl()
8558a7
 
8558a7
+    if promote:
8558a7
+        # We need to point to the master when certmonger asks for
8558a7
+        # HTTP certificate.
8558a7
+        # During http installation, the HTTP/hostname principal is created
8558a7
+        # locally then the installer waits for the entry to appear on the
8558a7
+        # master selected for the installation.
8558a7
+        # In a later step, the installer requests a SSL certificate through
8558a7
+        # Certmonger (and the op adds the principal if it does not exist yet).
8558a7
+        # If xmlrpc_uri points to the soon-to-be replica,
8558a7
+        # the httpd service is not ready yet to handle certmonger requests
8558a7
+        # and certmonger tries to find another master. The master can be
8558a7
+        # different from the one selected for the installation, and it is
8558a7
+        # possible that the principal has not been replicated yet. This
8558a7
+        # may lead to a replication conflict.
8558a7
+        # This is why we need to force the use of the same master by
8558a7
+        # setting xmlrpc_uri
8558a7
+        create_ipa_conf(fstore, config, ca_enabled,
8558a7
+                        master=config.master_host_name)
8558a7
+
8558a7
     install_http(
8558a7
         config,
8558a7
         auto_redirect=not options.no_ui_redirect,
8558a7
@@ -1439,6 +1471,10 @@ def install(installer):
8558a7
         ca_is_configured=ca_enabled,
8558a7
         ca_file=cafile)
8558a7
 
8558a7
+    if promote:
8558a7
+        # Need to point back to ourself after the cert for HTTP is obtained
8558a7
+        create_ipa_conf(fstore, config, ca_enabled)
8558a7
+
8558a7
     otpd = otpdinstance.OtpdInstance()
8558a7
     otpd.create_instance('OTPD', config.host_name,
8558a7
                          ipautil.realm_to_suffix(config.realm_name))
8558a7
-- 
8558a7
2.14.3
8558a7