Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
For some reasons named may not be runnig and this cause fail of this
upgrade step. This step is not critical so only ERROR message with
recommendation is shown.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.
This fixes a crash in ipa-replica-install with --setup-ca.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.
https://fedorahosted.org/freeipa/ticket/4291
Reviewed-By: Martin Basti <mbasti@redhat.com>
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
Prompt for PIN only once in interactive mode.
This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.
https://fedorahosted.org/freeipa/ticket/6032
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.
https://fedorahosted.org/freeipa/ticket/6168
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.
I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.
In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Basti <mbasti@redhat.com>
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.
https://fedorahosted.org/freeipa/ticket/6046
Reviewed-By: Martin Basti <mbasti@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).
The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.
https://fedorahosted.org/freeipa/ticket/6134
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.
This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.
https://fedorahosted.org/freeipa/ticket/6083
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.
Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.
Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.
Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.
From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.
This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.
Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up. To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.
Part of: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.
- when a cert is issued by a 3rd party CA, no need to track it
- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.
https://fedorahosted.org/freeipa/ticket/4785https://fedorahosted.org/freeipa/ticket/4786
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously the installer did not reinitialize resolver so queries for
records created using --ip-address option might not be answered. This led
to incorrect results during 'Updating DNS system records' phase at the
end of installation.
This is kind of hack but right now we do not have enough time to extend
python-dns's interface with resolver_reinit() method.
https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously we were checking content of DNS before actually adding DNS
records for replicas. This is causing cycle in logic and adds weird
corner cases to the installer which can blow up on DNS timeout or so.
The check was completely unnecessary because the installer knows IP
addresses and name of the machine. Removal of the check makes
the installer more reliable.
https://fedorahosted.org/freeipa/ticket/5962
Reviewed-By: Martin Basti <mbasti@redhat.com>
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.
Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg. An unrecognised nickname will raise
``KeyError``. To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag has been updated to support a default OCSP URI when the
profile includes AuthInfoAccess with URI method but does not specify
the URI (instead of constructing one based on Dogtag's hostname and
port).
Add the pkispawn config to ensure that the OCSP URI is set before
issuing CA and system certificates, and add the config to existing
CA instances on upgrade.
Fixes: https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Martin Basti <mbasti@redhat.com>
We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided
* NTP related params - DNS records will be updated automatically,
based on LDAP values
* CA related params - DNS records will be updated automatically based
* on LDAP values
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
