[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

Rob Crittenden rcritten at redhat.com
Mon Sep 10 20:58:40 UTC 2012 

Petr Viktorin wrote:
> Attaching rebased and squashed patches. I've done some testing with them
> but please test some more.
>

Most of these aren't IPA issues, but dogtag issues. I'll try to split 
them out.

IPA:

For the configuration files in install/conf to be updated at rpm update 
time the VERSION needs to be incremented.


The ipa package lacks any updated dogtag dependencies, so I abused it.

I installed IPA with dogtag 9 and created a replica.

I updated the IPA bits, that worked fine.

I updated to dogtag 10 and now the CA doesn't work on the master, 
including starting the dogtag instance. Note that the rpm update process 
worked, no notice that the CA service didn't restart.

Uninstalling failed because it tried to run pkidestroy and not pkiremove.

The contents of the file passed to pkispawn should be logged so we can 
see exactly what was passed in.

DOGTAG:

When upgrading using the dogtag-devel repo I had to specify 
pki-tools.x86_64 otherwise it tried to install both 32 and 64-bit 
versions (and failed).

I ended up running: yum update pki-ca tomcatjss pki-tools.x86_64 
--enablerepo=dogtag-devel --enablerepo=updates-testing

What happens if someone manually upgrades pki-ca without first updating 
ipa? I think that pki-ca is going to need a Conflicts ipa < 3.0 in it.

certificate renewal failed. I spent far too long trying to figure out 
why tomcat wasn't listening on port 9180 but failed. I think 9180 is 
actually the old server, right? So another missing dependency on a fixed 
certmonger?

The best I could find was the certmonger error:

ca-error: Error 7 connecting to 
http://edsel.example.com:9180/ca/ee/ca/profileSubmit: Couldn't connect 
to server.

There is no man page for pkispawn/pkidestroy :-( According to the FHS 
these should not be in /bin but in /usr/sbin (not end-user commands).

The output of pkicreate/pkisilent was really terrible and not usable at 
all so we didn't display it when failures occurred. It looks like that 
has been addressed, at least for the case where a CA is already 
configured and you try to install IPA. Perhaps we should capture stderr 
and display that instead of the command-line of pkispawn? Again, a man 
page would help with the integration.

2012-09-10T20:51:45Z DEBUG   [2/18]: configuring certificate server instance
2012-09-10T20:51:45Z DEBUG args=/bin/pkispawn -s CA -f /tmp/tmp_Urraq
2012-09-10T20:51:45Z DEBUG stdout=
2012-09-10T20:51:45Z DEBUG stderr=pkispawn    : ERROR    ....... PKI 
subsystem 'CA' for instance 'pki-tomcat' already exists!

2012-09-10T20:51:45Z CRITICAL failed to configure ca instance Command 
'/bin/pkispawn -s CA -f /tmp/tmp_Urraq' returned non-zero exit status 1

rob

More information about the Freeipa-devel mailing list