Skip to content
  • Thomas Woerner's avatar
    20922206
    ipareplica: Make sure that certmonger picks the right master · 20922206
    Thomas Woerner authored
    This is related to freeipa#0f31564b35aac250456233f98730811560eda664
    
      During ipa-replica-install, http installation first creates a service
      principal for http/hostname (locally on the soon-to-be-replica), then
      waits for this entry to be replicated on the master picked for the
      install.
      In a later step, the installer requests a certificate for HTTPd. The local
      certmonger first tries the master defined in xmlrpc_uri (which is
      pointing to the soon-to-be-replica), but fails because the service is not
      up yet. Then certmonger tries to find a master by using the DNS and looking
      for a ldap service. This step can pick a different master, where the
      principal entry has not always be replicated yet.
      As the certificate request adds the principal if it does not exist, we can
      end by re-creating the principal and have a replication conflict.
    
      The replication conflict later causes kerberos issues, preventing
      from installing a new replica.
    
      The proposed fix forces xmlrpc_uri to point to the same master as the one
      picked for the installation, in order to make sure that the master already
      contains the principal entry.
    
      https://pagure.io/freeipa/issue/7041
    20922206
    ipareplica: Make sure that certmonger picks the right master
    Thomas Woerner authored
    This is related to freeipa#0f31564b35aac250456233f98730811560eda664
    
      During ipa-replica-install, http installation first creates a service
      principal for http/hostname (locally on the soon-to-be-replica), then
      waits for this entry to be replicated on the master picked for the
      install.
      In a later step, the installer requests a certificate for HTTPd. The local
      certmonger first tries the master defined in xmlrpc_uri (which is
      pointing to the soon-to-be-replica), but fails because the service is not
      up yet. Then certmonger tries to find a master by using the DNS and looking
      for a ldap service. This step can pick a different master, where the
      principal entry has not always be replicated yet.
      As the certificate request adds the principal if it does not exist, we can
      end by re-creating the principal and have a replication conflict.
    
      The replication conflict later causes kerberos issues, preventing
      from installing a new replica.
    
      The proposed fix forces xmlrpc_uri to point to the same master as the one
      picked for the installation, in order to make sure that the master already
      contains the principal entry.
    
      https://pagure.io/freeipa/issue/7041
Loading