pp via FreeIPA-users wrote:
> The strange thing is this upgrade code has been in IPA since
4.9.0 so
> its unclear why it decided to break now, and in the way it did.
>
> It should only change the attribute from requiredSecret to secret if
> "tomcat version" reports a version >= 9.0.31.0.
Yes, I noticed the python function returns the correct value (false) when checking for my
tomcat version and should use "requiredSecret" as a result.
The CA has its own upgrade code which runs unconditionally and I think
that's how both secret and requiredSecret got added to server.xml. I
wasn't able to duplicate the 403 though, it always just worked for me.
Perhaps it has to go through more than one upgrade cycle. I did my
testing on RHEL 8.
I filed
https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against
pki-core.
rob