On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
> The CA has its own upgrade code which runs unconditionally and I
think
> that's how both secret and requiredSecret got added to server.xml. I
> wasn't able to duplicate the 403 though, it always just worked for me.
> Perhaps it has to go through more than one upgrade cycle. I did my
> testing on RHEL 8.
>
> I filed
https://bugzilla.redhat.com/show_bug.cgi?id=2006070 against
> pki-core.
I think I just ran into this, or a related issue, when upgrading today on two RHEL 8
machines.
According to etckeeper (great tool!):
Package changes:
-0:ipa-client-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
-0:ipa-client-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:ipa-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
+0:ipa-client-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:ipa-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
-0:ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
-0:ipa-server-common-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:ipa-server-dns-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
+0:ipa-server-common-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:ipa-server-dns-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
-0:python3-ipaclient-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:python3-ipalib-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
-0:python3-ipaserver-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch
+0:python3-ipaclient-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:python3-ipalib-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
+0:python3-ipaserver-4.9.6-10.module+el8.5.0+13587+92118e57.noarch
Upgrading the above *added* requiredSecret="newSecret" to the AJP Connector
elements within /etc/pki/pki-tomcat/server.xml.
The existing secret="oldSecret" attribute was not changed. Neither was
"secret=oldSecret" changed in the ProxyPassMatch directives in
/etc/httpd/conf.d/ipa-pki-proxy.conf.
It looks like tomcat uses the value of requiredSecret= in preference to secret= if both
are supplied.
The fix was to remove requiredSecret="newSecret" from the tomcat config file
& restart pki-tomcatd@pki-tomcat.
But that bugzilla is about migrating from requiredSecret="oldSecret" ->
secret="oldSecret". So I'm not sure I've hit that bug exactly...
The packages above aren't including any additional patches related to
what you see here. They only include changes for CVE-2020-25717 which
has nothing to do with CA operations.
What happens, I suspect, is that both pki upgrade code and ipa upgrade
code triggered and pki upgrade code adds 'requiredSecret' part. IPA
upgrade code is present since FreeIPA 4.9.0, since March 2020, more than
1.5 years ago.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland