Bug 1002639
Summary: | ipa-replica-prepare should not prompt for pkcs12 pin when dogtag is installed as internal CA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jenny Severance <jgalipea> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dpal, jgalipea, mgregg, pviktori, rcritten |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.3.2-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:25:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jenny Severance
2013-08-29 16:00:57 UTC
meant pkcs12 I think an example is in order. Under what circumstances do you get prompted for a PKCS#12 file password? Jenny, can you please help us with a reproduction of this bug as Rob requested? Lowering the needinfo? request. I just found an e-mail on our team list with relevant information from Michael Gregg: We have a replica test that is running a command similar to this: ipa-replica-prepare -p Secret123 --ip-address=1.2.3.4 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin=''' This ipa-replica-prepare still seems to work on older builds ok IPA, but on newer versions seems to kick back asking the end user for a unknown password. When I manually run this process, I get the following output: [root@ipaqavmb tmp]# echo $ADMINPW | gpg --batch --passphrase-fd 0 -d replica-info-ipaqavmc.testrelm.com.gpg | tar xvf - gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected realm_info/ realm_info/configure.jar realm_info/pwdfile.txt realm_info/dscert.p12 realm_info/http_pin.txt realm_info/krb.js realm_info/ra.p12 realm_info/dogtag_directory_port.txt realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.orig realm_info/kerberosauth.xpi realm_info/dogtagcert.p12 realm_info/cacert.p12 realm_info/httpcert.p12 realm_info/preferences.html realm_info/realm_info realm_info/ca.crt [root@ipaqavmb tmp]# ipa-replica-prepare -p Secret123 --ip-address=1.2.3.5 ipaqavmc.testrelm.com --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='' Enter realm_info/httpcert.p12 unlock password: incorrect password for pkcs#12 file realm_info/httpcert.p12 As per Jan Cholasta's answer, this is a regression caused by https://fedorahosted.org/freeipa/ticket/3717. I will clone a ticket to fix this. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3897 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/c6113ab89b010bd60eff4084b8d244dde2563dcf ipa-2-2: https://fedorahosted.org/freeipa/changeset/3a4a7458c72bb70673520a546ba463ec7fc94bcf Verified using ipa-server-3.3.2-5.el7.x86_64 Steps used below - and there was no promt to Enter realm_info/httpcert.p12 unlock password: # gpg --batch --passphrase-fd 0 -d /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg | tar xvf - DSSecret123 gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected realm_info/ realm_info/dirsrv_pin.txt realm_info/cacert.p12 realm_info/pwdfile.txt.orig realm_info/dscert.p12 realm_info/dogtagcert.p12 realm_info/dogtag_directory_port.txt realm_info/http_pin.txt realm_info/pwdfile.txt realm_info/httpcert.p12 realm_info/ra.p12 realm_info/ca.crt realm_info/preferences.html realm_info/krb.js realm_info/kerberosauth.xpi realm_info/configure.jar realm_info/realm_info # ipa-replica-prepare --ip-address=1.2.3.4 hp-dl380pgen8-02-vm-1.testrelm.com -p DSSecret123 --dirsrv_pkcs12=realm_info/dscert.p12 --dirsrv_pin='' --http_pkcs12=realm_info/httpcert.p12 --http_pin='' Preparing replica for hp-dl380pgen8-02-vm-1.testrelm.com from qeblade6.testrelm.com Copying SSL certificate for the Directory Server from realm_info/dscert.p12 Copying SSL certificate for the Web Server from realm_info/httpcert.p12 Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-hp-dl380pgen8-02-vm-1.testrelm.com.gpg Adding DNS records for hp-dl380pgen8-02-vm-1.testrelm.com Using reverse zone 3.2.1.in-addr.arpa. The ipa-replica-prepare command was successful This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |