ipareplica: Make sure that certmonger picks the right master

This is related to freeipa#0f31564b35aac250456233f98730811560eda664 During ipa-replica-install, http installation first creates a service principal for http/hostname (locally on the soon-to-be-replica), then waits for this entry to be replicated on the master picked for the install. In a later step, the installer requests a certificate for HTTPd. The local certmonger first tries the master defined in xmlrpc_uri (which is pointing to the soon-to-be-replica), but fails because the service is not up yet. Then certmonger tries to find a master by using the DNS and looking for a ldap service. This step can pick a different master, where the principal entry has not always be replicated yet. As the certificate request adds the principal if it does not exist, we can end by re-creating the principal and have a replication conflict. The replication conflict later causes kerberos issues, preventing from installing a new replica. The proposed fix forces xmlrpc_uri to point to the same master as the one picked for the installation, in order to make sure that the master already contains the principal entry. https://pagure.io/freeipa/issue/7041
2026-06-23 09:14:43 +00:00 · 2019-06-21 12:24:10 +02:00
parent ca4518a623
commit 2092220634
3 changed files with 121 additions and 13 deletions
--- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py
+++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py
@@ -172,6 +172,7 @@ def main():
            ### additional ###
            server=dict(required=True),
            config_master_host_name=dict(required=True),
            config_ca_host_name=dict(required=True),
            ccache=dict(required=True),
            installer_ccache=dict(required=True),
            _ca_enabled=dict(required=False, type='bool'),
@@ -183,6 +184,7 @@ def main():
            _add_to_ipaservers = dict(required=True, type='bool'),
            _ca_subject=dict(required=True),
            _subject_base=dict(required=True),
            master=dict(required=False, default=None),
            dirman_password=dict(required=True, no_log=True),
        ),
@@ -227,6 +229,7 @@ def main():
    #    '_hostname_overridden')
    options.server = ansible_module.params.get('server')
    master_host_name = ansible_module.params.get('config_master_host_name')
    ca_host_name = ansible_module.params.get('config_ca_host_name')
    ccache = ansible_module.params.get('ccache')
    os.environ['KRB5CCNAME'] = ccache
    #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
@@ -246,6 +249,7 @@ def main():
    options._ca_subject = ansible_module.params.get('_ca_subject')
    options._subject_base = ansible_module.params.get('_subject_base')
    master = ansible_module.params.get('master')
    dirman_password = ansible_module.params.get('dirman_password')
@@ -267,6 +271,7 @@ def main():
    config = gen_ReplicaConfig()
    config.subject_base = options.subject_base
    config.dirman_password = dirman_password
    config.ca_host_name = ca_host_name
    remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
    installer._remote_api = remote_api
@@ -284,7 +289,7 @@ def main():
        # successful uninstallation
        # The configuration creation has to be here otherwise previous call
        # To config certmonger would try to connect to local server
-        create_ipa_conf(fstore, config, ca_enabled)
+        create_ipa_conf(fstore, config, ca_enabled, master)
    # done #
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -179,6 +179,14 @@ def main():
        ansible_module.fail_json(
            msg="Hidden replica is not supported in this version.")
    # We need to point to the master in ipa default conf when certmonger
    # asks for HTTP certificate in newer ipa versions. In these versions
    # create_ipa_conf has the additional master argument.
    change_master_for_certmonger = False
    argspec = inspect.getargspec(create_ipa_conf)
    if "master" in argspec.args:
        change_master_for_certmonger = True
    # From ipa installer classes
    # pkinit is not supported on DL0, don't allow related options
@@ -332,18 +340,20 @@ def main():
    # done #
-    ansible_module.exit_json(changed=False,
+    ansible_module.exit_json(
-                             ipa_python_version=IPA_PYTHON_VERSION,
+        changed=False,
-                             ### basic ###
+        ipa_python_version=IPA_PYTHON_VERSION,
-                             domain=options.domain_name,
+        ### basic ###
-                             realm=options.realm_name,
+        domain=options.domain_name,
-                             hostname=options.host_name,
+        realm=options.realm_name,
-                             ### server ###
+        hostname=options.host_name,
-                             setup_adtrust=options.setup_adtrust,
+        ### server ###
-                             setup_kra=options.setup_kra,
+        setup_adtrust=options.setup_adtrust,
-                             server=options.server,
+        setup_kra=options.setup_kra,
-                             ### additional ###
+        server=options.server,
-                             client_enrolled=client_enrolled,
+        ### additional ###
        client_enrolled=client_enrolled,
        change_master_for_certmonger=change_master_for_certmonger,
    )
 if __name__ == '__main__':
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -314,6 +314,7 @@
      server: "{{ result_ipareplica_test.server }}"
      config_master_host_name:
        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
      ccache: "{{ result_ipareplica_prepare.ccache }}"
      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
@@ -343,6 +344,54 @@
      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
  # We need to point to the master in ipa default conf when certmonger
  # asks for HTTP certificate in newer ipa versions. In these versions
  # create_ipa_conf has the additional master argument.
  - name: Install - Create override IPA conf
    ipareplica_create_ipa_conf:
      ### basic ###
      dm_password: "{{ ipadm_password | default(omit) }}"
      password: "{{ ipaadmin_password | default(omit) }}"
      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
      domain: "{{ result_ipareplica_test.domain }}"
      realm: "{{ result_ipareplica_test.realm }}"
      hostname: "{{ result_ipareplica_test.hostname }}"
      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
      no_host_dns: "{{ ipareplica_no_host_dns }}"
      ### replica ###
      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
      setup_kra: "{{ result_ipareplica_test.setup_kra }}"
      setup_dns: "{{ ipareplica_setup_dns }}"
      ### ssl certificate ###
      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
      ### client ###
      force_join: "{{ ipaclient_force_join }}"
      ### ad trust ###
      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
      rid_base: "{{ ipareplica_rid_base | default(omit) }}"
      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
      ### additional ###
      server: "{{ result_ipareplica_test.server }}"
      config_master_host_name:
        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
      ccache: "{{ result_ipareplica_prepare.ccache }}"
      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
      _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
      _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
      subject_base: "{{ result_ipareplica_prepare.subject_base }}"
      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"
      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
      dirman_password: "{{ ipareplica_dirman_password }}"
      master:
        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
    when: result_ipareplica_test.change_master_for_certmonger
  - name: Install - DS enable SSL
    ipareplica_ds_enable_ssl:
      ### server ###
@@ -383,6 +432,50 @@
      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
      dirman_password: "{{ ipareplica_dirman_password }}"
  # Need to point back to ourself after the cert for HTTP is obtained
  - name: Install - Create original IPA conf again
    ipareplica_create_ipa_conf:
      ### basic ###
      dm_password: "{{ ipadm_password | default(omit) }}"
      password: "{{ ipaadmin_password | default(omit) }}"
      ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
      domain: "{{ result_ipareplica_test.domain }}"
      realm: "{{ result_ipareplica_test.realm }}"
      hostname: "{{ result_ipareplica_test.hostname }}"
      ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
      no_host_dns: "{{ ipareplica_no_host_dns }}"
      ### replica ###
      setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
      setup_kra: "{{ result_ipareplica_test.setup_kra }}"
      setup_dns: "{{ ipareplica_setup_dns }}"
      ### ssl certificate ###
      dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
      ### client ###
      force_join: "{{ ipaclient_force_join }}"
      ### ad trust ###
      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
      rid_base: "{{ ipareplica_rid_base | default(omit) }}"
      secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
      ### additional ###
      server: "{{ result_ipareplica_test.server }}"
      config_master_host_name:
        "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
      config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
      ccache: "{{ result_ipareplica_prepare.ccache }}"
      installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
      _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
      _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
      _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
      _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
      subject_base: "{{ result_ipareplica_prepare.subject_base }}"
      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
      _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"
      _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
      _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
      dirman_password: "{{ ipareplica_dirman_password }}"
    when: result_ipareplica_test.change_master_for_certmonger
  - name: Install - Setup otpd
    ipareplica_setup_otpd:
      ### server ###