The CA has its own upgrade code which runs unconditionally and I
think
that's how both secret and requiredSecret got added to server.xml. I
wasn't able to duplicate the 403 though, it always just worked for me.
Perhaps it has to go through more than one upgrade cycle. I did my
testing on RHEL 8.
I filed
https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against
pki-core.
I think I just ran into this, or a related issue, when upgrading today on two RHEL 8
machines.
According to etckeeper (great tool!):
Package changes:
-0:ipa-client-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
-0:ipa-client-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:ipa-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
+0:ipa-client-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:ipa-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
-0:ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
-0:ipa-server-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:ipa-server-dns-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
+0:ipa-server-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:ipa-server-dns-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
-0:python3-ipaclient-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:python3-ipalib-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:python3-ipaserver-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:python3-ipaclient-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:python3-ipalib-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:python3-ipaserver-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
Upgrading the above *added* requiredSecret="newSecret" to the AJP Connector
elements within /etc/pki/pki-tomcat/server.xml.
The existing secret="oldSecret" attribute was not changed. Neither was
"secret=oldSecret" changed in the ProxyPassMatch directives in
/etc/httpd/conf.d/ipa-pki-proxy.conf.
It looks like tomcat uses the value of requiredSecret= in preference to secret= if both
are supplied.
The fix was to remove requiredSecret="newSecret" from the tomcat config file
& restart pki-tomcatd@pki-tomcat.
But that bugzilla is about migrating from requiredSecret="oldSecret" ->
secret="oldSecret". So I'm not sure I've hit that bug exactly...
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9