|
|
8558a7 |
From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001
|
|
|
8558a7 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
8558a7 |
Date: Wed, 14 Mar 2018 16:13:17 +0100
|
|
|
8558a7 |
Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the
|
|
|
8558a7 |
right master
|
|
|
8558a7 |
|
|
|
8558a7 |
During ipa-replica-install, http installation first creates a service
|
|
|
8558a7 |
principal for http/hostname (locally on the soon-to-be-replica), then
|
|
|
8558a7 |
waits for this entry to be replicated on the master picked for the
|
|
|
8558a7 |
install.
|
|
|
8558a7 |
In a later step, the installer requests a certificate for HTTPd. The local
|
|
|
8558a7 |
certmonger first tries the master defined in xmlrpc_uri (which is
|
|
|
8558a7 |
pointing to the soon-to-be-replica), but fails because the service is not
|
|
|
8558a7 |
up yet. Then certmonger tries to find a master by using the DNS and looking
|
|
|
8558a7 |
for a ldap service. This step can pick a different master, where the
|
|
|
8558a7 |
principal entry has not always be replicated yet.
|
|
|
8558a7 |
As the certificate request adds the principal if it does not exist, we can
|
|
|
8558a7 |
end by re-creating the principal and have a replication conflict.
|
|
|
8558a7 |
|
|
|
8558a7 |
The replication conflict later causes kerberos issues, preventing
|
|
|
8558a7 |
from installing a new replica.
|
|
|
8558a7 |
|
|
|
8558a7 |
The proposed fix forces xmlrpc_uri to point to the same master as the one
|
|
|
8558a7 |
picked for the installation, in order to make sure that the master already
|
|
|
8558a7 |
contains the principal entry.
|
|
|
8558a7 |
|
|
|
8558a7 |
https://pagure.io/freeipa/issue/7041
|
|
|
8558a7 |
|
|
|
8558a7 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
8558a7 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
8558a7 |
---
|
|
|
8558a7 |
ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++---
|
|
|
8558a7 |
1 file changed, 39 insertions(+), 3 deletions(-)
|
|
|
8558a7 |
|
|
|
8558a7 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
8558a7 |
index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644
|
|
|
8558a7 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
8558a7 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
8558a7 |
@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api):
|
|
|
8558a7 |
'on master: %s', str(e))
|
|
|
8558a7 |
|
|
|
8558a7 |
|
|
|
8558a7 |
-def create_ipa_conf(fstore, config, ca_enabled):
|
|
|
8558a7 |
+def create_ipa_conf(fstore, config, ca_enabled, master=None):
|
|
|
8558a7 |
+ """
|
|
|
8558a7 |
+ Create /etc/ipa/default.conf master configuration
|
|
|
8558a7 |
+ :param fstore: sysrestore file store used for backup and restore of
|
|
|
8558a7 |
+ the server configuration
|
|
|
8558a7 |
+ :param config: replica config
|
|
|
8558a7 |
+ :param ca_enabled: True if the topology includes a CA
|
|
|
8558a7 |
+ :param master: if set, the xmlrpc_uri parameter will use the provided
|
|
|
8558a7 |
+ master instead of this host
|
|
|
8558a7 |
+ """
|
|
|
8558a7 |
# Save client file on Domain Level 1
|
|
|
8558a7 |
target_fname = paths.IPA_DEFAULT_CONF
|
|
|
8558a7 |
fstore.backup_file(target_fname)
|
|
|
8558a7 |
@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled):
|
|
|
8558a7 |
ipaconf.setOptionAssignment(" = ")
|
|
|
8558a7 |
ipaconf.setSectionNameDelimiters(("[", "]"))
|
|
|
8558a7 |
|
|
|
8558a7 |
- xmlrpc_uri = 'https://{0}/ipa/xml'.format(
|
|
|
8558a7 |
- ipautil.format_netloc(config.host_name))
|
|
|
8558a7 |
+ if master:
|
|
|
8558a7 |
+ xmlrpc_uri = 'https://{0}/ipa/xml'.format(
|
|
|
8558a7 |
+ ipautil.format_netloc(master))
|
|
|
8558a7 |
+ else:
|
|
|
8558a7 |
+ xmlrpc_uri = 'https://{0}/ipa/xml'.format(
|
|
|
8558a7 |
+ ipautil.format_netloc(config.host_name))
|
|
|
8558a7 |
ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format(
|
|
|
8558a7 |
installutils.realm_to_serverid(config.realm_name))
|
|
|
8558a7 |
|
|
|
8558a7 |
@@ -1431,6 +1444,25 @@ def install(installer):
|
|
|
8558a7 |
# we now need to enable ssl on the ds
|
|
|
8558a7 |
ds.enable_ssl()
|
|
|
8558a7 |
|
|
|
8558a7 |
+ if promote:
|
|
|
8558a7 |
+ # We need to point to the master when certmonger asks for
|
|
|
8558a7 |
+ # HTTP certificate.
|
|
|
8558a7 |
+ # During http installation, the HTTP/hostname principal is created
|
|
|
8558a7 |
+ # locally then the installer waits for the entry to appear on the
|
|
|
8558a7 |
+ # master selected for the installation.
|
|
|
8558a7 |
+ # In a later step, the installer requests a SSL certificate through
|
|
|
8558a7 |
+ # Certmonger (and the op adds the principal if it does not exist yet).
|
|
|
8558a7 |
+ # If xmlrpc_uri points to the soon-to-be replica,
|
|
|
8558a7 |
+ # the httpd service is not ready yet to handle certmonger requests
|
|
|
8558a7 |
+ # and certmonger tries to find another master. The master can be
|
|
|
8558a7 |
+ # different from the one selected for the installation, and it is
|
|
|
8558a7 |
+ # possible that the principal has not been replicated yet. This
|
|
|
8558a7 |
+ # may lead to a replication conflict.
|
|
|
8558a7 |
+ # This is why we need to force the use of the same master by
|
|
|
8558a7 |
+ # setting xmlrpc_uri
|
|
|
8558a7 |
+ create_ipa_conf(fstore, config, ca_enabled,
|
|
|
8558a7 |
+ master=config.master_host_name)
|
|
|
8558a7 |
+
|
|
|
8558a7 |
install_http(
|
|
|
8558a7 |
config,
|
|
|
8558a7 |
auto_redirect=not options.no_ui_redirect,
|
|
|
8558a7 |
@@ -1439,6 +1471,10 @@ def install(installer):
|
|
|
8558a7 |
ca_is_configured=ca_enabled,
|
|
|
8558a7 |
ca_file=cafile)
|
|
|
8558a7 |
|
|
|
8558a7 |
+ if promote:
|
|
|
8558a7 |
+ # Need to point back to ourself after the cert for HTTP is obtained
|
|
|
8558a7 |
+ create_ipa_conf(fstore, config, ca_enabled)
|
|
|
8558a7 |
+
|
|
|
8558a7 |
otpd = otpdinstance.OtpdInstance()
|
|
|
8558a7 |
otpd.create_instance('OTPD', config.host_name,
|
|
|
8558a7 |
ipautil.realm_to_suffix(config.realm_name))
|
|
|
8558a7 |
--
|
|
|
8558a7 |
2.14.3
|
|
|
8558a7 |
|