[Freeipa-users] Re: Unable to communicate with CMS (403)

Thu, 16 Dec 2021 21:00:00 -0800 

On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:

The CA has its own upgrade code which runs unconditionally and I think
that's how both secret and requiredSecret got added to server.xml. I
wasn't able to duplicate the 403 though, it always just worked for me.
Perhaps it has to go through more than one upgrade cycle. I did my
testing on RHEL 8.

I filed https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against
pki-core.


I think I just ran into this, or a related issue, when upgrading today on two 
RHEL 8 machines.

According to etckeeper (great tool!):

   Package changes:
   -0:ipa-client-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
   -0:ipa-client-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   -0:ipa-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   +0:ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
   +0:ipa-client-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   +0:ipa-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   -0:ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
   -0:ipa-server-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   -0:ipa-server-dns-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   +0:ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
   +0:ipa-server-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   +0:ipa-server-dns-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   -0:python3-ipaclient-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   -0:python3-ipalib-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   -0:python3-ipaserver-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
   +0:python3-ipaclient-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   +0:python3-ipalib-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
   +0:python3-ipaserver-4.9.6-10.module+el8.5.0+13587+92118e57.noarch

Upgrading the above *added* requiredSecret="newSecret" to the AJP Connector 
elements within /etc/pki/pki-tomcat/server.xml.

The existing secret="oldSecret" attribute was not changed. Neither was 
"secret=oldSecret" changed in the ProxyPassMatch directives in 
/etc/httpd/conf.d/ipa-pki-proxy.conf.

It looks like tomcat uses the value of requiredSecret= in preference to secret= 
if both are supplied.

The fix was to remove requiredSecret="newSecret" from the tomcat config file & 
restart pki-tomcatd@pki-tomcat.

But that bugzilla is about migrating from requiredSecret="oldSecret" -> 
secret="oldSecret". So I'm not sure I've hit that bug exactly...


The packages above aren't including any additional patches related to
what you see here. They only include changes for CVE-2020-25717 which
has nothing to do with CA operations.

What happens, I suspect, is that both pki upgrade code and ipa upgrade
code triggered and pki upgrade code adds 'requiredSecret' part. IPA
upgrade code is present since FreeIPA 4.9.0, since March 2020, more than
1.5 years ago.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to