ipareplica: Make sure that certmonger picks the right master

This is related to freeipa#0f31564b35aac250456233f98730811560eda664 During ipa-replica-install, http installation first creates a service principal for http/hostname (locally on the soon-to-be-replica), then waits for this entry to be replicated on the master picked for the install. In a later step, the installer requests a certificate for HTTPd. The local certmonger first tries the master defined in xmlrpc_uri (which is pointing to the soon-to-be-replica), but fails because the service is not up yet. Then certmonger tries to find a master by using the DNS and looking for a ldap service. This step can pick a different master, where the principal entry has not always be replicated yet. As the certificate request adds the principal if it does not exist, we can end by re-creating the principal and have a replication conflict. The replication conflict later causes kerberos issues, preventing from installing a new replica. The proposed fix forces xmlrpc_uri to point to the same master as the one picked for the installation, in order to make sure that the master already contains the principal entry. https://pagure.io/freeipa/issue/7041
2026-05-14 21:42:17 +00:00 · 2019-06-21 12:24:10 +02:00
parent ca4518a623
commit 2092220634
3 changed files with 121 additions and 13 deletions
--- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py
+++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py
@@ -172,6 +172,7 @@ def main():
            ### additional ###
            server=dict(required=True),
            config_master_host_name=dict(required=True),
+            config_ca_host_name=dict(required=True),
            ccache=dict(required=True),
            installer_ccache=dict(required=True),
            _ca_enabled=dict(required=False, type='bool'),
@@ -183,6 +184,7 @@ def main():
            _add_to_ipaservers = dict(required=True, type='bool'),
            _ca_subject=dict(required=True),
            _subject_base=dict(required=True),
+            master=dict(required=False, default=None),

            dirman_password=dict(required=True, no_log=True),
        ),
@@ -227,6 +229,7 @@ def main():
    #    '_hostname_overridden')
    options.server = ansible_module.params.get('server')
    master_host_name = ansible_module.params.get('config_master_host_name')
+    ca_host_name = ansible_module.params.get('config_ca_host_name')
    ccache = ansible_module.params.get('ccache')
    os.environ['KRB5CCNAME'] = ccache
    #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
@@ -246,6 +249,7 @@ def main():

    options._ca_subject = ansible_module.params.get('_ca_subject')
    options._subject_base = ansible_module.params.get('_subject_base')
+    master = ansible_module.params.get('master')

    dirman_password = ansible_module.params.get('dirman_password')

@@ -267,6 +271,7 @@ def main():
    config = gen_ReplicaConfig()
    config.subject_base = options.subject_base
    config.dirman_password = dirman_password
+    config.ca_host_name = ca_host_name

    remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
    installer._remote_api = remote_api
@@ -284,7 +289,7 @@ def main():
        # successful uninstallation
        # The configuration creation has to be here otherwise previous call
        # To config certmonger would try to connect to local server
-        create_ipa_conf(fstore, config, ca_enabled)
+        create_ipa_conf(fstore, config, ca_enabled, master)

    # done #

--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -179,6 +179,14 @@ def main():
        ansible_module.fail_json(
            msg="Hidden replica is not supported in this version.")

+    # We need to point to the master in ipa default conf when certmonger
+    # asks for HTTP certificate in newer ipa versions. In these versions
+    # create_ipa_conf has the additional master argument.
+    change_master_for_certmonger = False
+    argspec = inspect.getargspec(create_ipa_conf)
+    if "master" in argspec.args:
+        change_master_for_certmonger = True
+
    # From ipa installer classes

    # pkinit is not supported on DL0, don't allow related options
@@ -332,18 +340,20 @@ def main():

    # done #

-    ansible_module.exit_json(changed=False,
-                             ipa_python_version=IPA_PYTHON_VERSION,
-                             ### basic ###
-                             domain=options.domain_name,
-                             realm=options.realm_name,
-                             hostname=options.host_name,
-                             ### server ###
-                             setup_adtrust=options.setup_adtrust,
-                             setup_kra=options.setup_kra,
-                             server=options.server,
-                             ### additional ###
-                             client_enrolled=client_enrolled,
+    ansible_module.exit_json(
+        changed=False,
+        ipa_python_version=IPA_PYTHON_VERSION,
+        ### basic ###
+        domain=options.domain_name,
+        realm=options.realm_name,
+        hostname=options.host_name,
+        ### server ###
+        setup_adtrust=options.setup_adtrust,
+        setup_kra=options.setup_kra,
+        server=options.server,
+        ### additional ###
+        client_enrolled=client_enrolled,
+        change_master_for_certmonger=change_master_for_certmonger,
    )

 if __name__ == '__main__':