With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.
https://fedorahosted.org/freeipa/ticket/4291
Reviewed-By: Martin Basti <mbasti@redhat.com>
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936https://fedorahosted.org/freeipa/ticket/6056
Reviewed-By: Martin Basti <mbasti@redhat.com>
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
Prompt for PIN only once in interactive mode.
This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.
https://fedorahosted.org/freeipa/ticket/6032
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.
https://fedorahosted.org/freeipa/ticket/6168
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.
https://fedorahosted.org/freeipa/ticket/5750
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.
I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.
In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Basti <mbasti@redhat.com>
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.
https://fedorahosted.org/freeipa/ticket/6046
Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.
https://fedorahosted.org/freeipa/ticket/6071
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.
https://fedorahosted.org/freeipa/ticket/6071
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.
https://fedorahosted.org/freeipa/ticket/6165
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).
The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.
https://fedorahosted.org/freeipa/ticket/6134
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).
https://fedorahosted.org/freeipa/ticket/6166
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replica installation must not check existence of --domain - the domain
must (logically) exist.
https://fedorahosted.org/freeipa/ticket/6130
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Method IPASystemRecords.records_list_from_node returns only list
consists only from record names not tuple, which caused unpacking error
https://fedorahosted.org/freeipa/ticket/6117
Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com>
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.
This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.
https://fedorahosted.org/freeipa/ticket/6083
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.
Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.
Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.
Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.
From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.
This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.
Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up. To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.
Part of: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.
- when a cert is issued by a 3rd party CA, no need to track it
- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.
https://fedorahosted.org/freeipa/ticket/4785https://fedorahosted.org/freeipa/ticket/4786
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously the installer did not reinitialize resolver so queries for
records created using --ip-address option might not be answered. This led
to incorrect results during 'Updating DNS system records' phase at the
end of installation.
This is kind of hack but right now we do not have enough time to extend
python-dns's interface with resolver_reinit() method.
https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
If the version of the remote server is higher than the local version, don't
allow installing a replica of it.
https://fedorahosted.org/freeipa/ticket/5983
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Previously we were checking content of DNS before actually adding DNS
records for replicas. This is causing cycle in logic and adds weird
corner cases to the installer which can blow up on DNS timeout or so.
The check was completely unnecessary because the installer knows IP
addresses and name of the machine. Removal of the check makes
the installer more reliable.
https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
This fixes scenarios where IPA server is not able to resolve own name
and option --ip-address was not specified by the user.
This partially reverts changes from commit
dc405005f5https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.
Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg. An unrecognised nickname will raise
``KeyError``. To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag has been updated to support a default OCSP URI when the
profile includes AuthInfoAccess with URI method but does not specify
the URI (instead of constructing one based on Dogtag's hostname and
port).
Add the pkispawn config to ensure that the OCSP URI is set before
issuing CA and system certificates, and add the config to existing
CA instances on upgrade.
Fixes: https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Martin Basti <mbasti@redhat.com>
We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided
* NTP related params - DNS records will be updated automatically,
based on LDAP values
* CA related params - DNS records will be updated automatically based
* on LDAP values
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete
The fix adds in the log the name of the missing certificate:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>'
https://fedorahosted.org/freeipa/ticket/5792
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
IPA domain is detected from LDAP for replica promote installation.
If local domain and IPA domain does not match, installer refuses
to install replica.
IPA versions 4.3.0 and 4.3.1 allow to specify different domain for
replica. Only one IPA domain is allowed (domain used with master)
and different domain may cause issues.
This commit prevents to install new replica if multiple domains was
used in past. User action is required to fix this issue and remove
incorrect IPA domains from LDAP.
https://fedorahosted.org/freeipa/ticket/5976
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In managed topology, calling `ipa-server-install --uninstall` will cause the
master to remove itself from the topology by calling `server_del` behind the
scenes.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>