IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 09:41:55 -06:00
Code Issues Packages Projects Releases Wiki Activity
0f31564b35
freeipa/ipaserver/install
History
Florence Blanc-Renaud 0f31564b35 ipa-replica-install: make sure that certmonger picks the right master 
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.

The replication conflict later causes kerberos issues, preventing
from installing a new replica.

The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.

https://pagure.io/freeipa/issue/7041

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-21 09:35:56 +01:00
..
plugins mod_ssl migration: fix upload_cacrt.py plugin 2018-02-21 07:57:40 +01:00
server ipa-replica-install: make sure that certmonger picks the right master 2018-03-21 09:35:56 +01:00
__init__.py Remove __all__ specifications in ipaclient and ipaserver.install 2013-09-06 15:42:33 +02:00
adtrust.py Correct typo estabilish->establish in the install scripts 2017-07-24 13:41:16 +02:00
adtrustinstance.py Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
bindinstance.py Add mocked test for named crypto policy update 2018-02-20 17:01:52 +01:00
ca.py Add a helpful comment to ca.py:install_check() 2018-01-16 14:15:58 +01:00
cainstance.py install: configure dogtag status request timeout 2018-03-20 10:28:05 +01:00
certs.py Remove unused modutils wrappers from NSS/CertDB 2018-02-23 11:04:10 +01:00
conncheck.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
custodiainstance.py service: rename import_ca_certs_* to export_* 2018-02-21 07:57:40 +01:00
dns.py Warning the user when using a loopback IP as forwarder 2017-11-09 09:24:03 -02:00
dnskeysyncinstance.py More cleanup after uninstall 2018-03-20 10:15:28 +01:00
dogtag.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
dogtaginstance.py Keep owner when backing up CA.cfg 2018-03-19 15:46:56 +01:00
dsinstance.py certmonger: Use explicit storage format 2018-02-23 11:04:10 +01:00
httpinstance.py More cleanup after uninstall 2018-03-20 10:15:28 +01:00
installutils.py More cleanup after uninstall 2018-03-20 10:15:28 +01:00
ipa_backup.py Backup HTTPD's mod_ssl config and cert-key pair 2018-03-13 10:52:41 +01:00
ipa_cacert_manage.py Update IPA CA issuer DN upon renewal 2018-02-08 13:53:30 +01:00
ipa_kra_install.py Have all the scripts run in python 3 by default 2018-02-15 18:43:12 +01:00
ipa_ldap_updater.py logging: remove object-specific loggers 2017-07-14 15:55:59 +02:00
ipa_otptoken_import.py OTP import: support hash names with HMAC- prefix 2017-09-18 11:37:31 +02:00
ipa_pkinit_manage.py logging: remove object-specific loggers 2017-07-14 15:55:59 +02:00
ipa_replica_install.py install: re-introduce option groups 2017-03-13 10:12:40 +01:00
ipa_replica_prepare.py replica_prepare: Remove the correct NSS DB files 2018-01-16 16:36:10 +01:00
ipa_restore.py ipa-restore: remove /etc/httpd/conf.d/nss.conf 2018-03-14 12:25:04 +01:00
ipa_server_certinstall.py Make ipa-server-certinstall store HTTPD cert in a file 2018-02-21 07:57:40 +01:00
ipa_server_install.py install: re-introduce option groups 2017-03-13 10:12:40 +01:00
ipa_server_upgrade.py logging: remove object-specific loggers 2017-07-14 15:55:59 +02:00
ipa_winsync_migrate.py logging: remove object-specific loggers 2017-07-14 15:55:59 +02:00
kra.py Restart named-pkcs11 after KRA installation 2018-02-08 16:58:13 +01:00
krainstance.py Enable ephemeral KRA requests 2017-12-15 08:45:38 +01:00
krbinstance.py ipa-server-install: handle error when calling kdb5_util create 2018-03-13 10:09:13 +01:00
ldapupdate.py Instrument installer to profile steps 2018-03-16 07:33:58 +01:00
ntpinstance.py logging: do not log into the root logger 2017-07-14 15:55:59 +02:00
odsexporterinstance.py logging: do not log into the root logger 2017-07-14 15:55:59 +02:00
opendnssecinstance.py Use os.path.isfile() and isdir() 2017-10-20 12:27:19 +02:00
otpdinstance.py Enable pylint missing-final-newline check 2015-12-23 07:59:22 +01:00
replication.py Unified ldap_initialize() function 2018-02-15 18:32:17 +01:00
schemaupdate.py logging: do not use ipa_log_manager to create module-level loggers 2017-07-14 15:55:59 +02:00
service.py Instrument installer to profile steps 2018-03-16 07:33:58 +01:00
sysupgrade.py logging: do not log into the root logger 2017-07-14 15:55:59 +02:00
upgradeinstance.py logging: do not log into the root logger 2017-07-14 15:55:59 +02:00