Bug 1126985

Summary: ipa-submit helper fails if ldap_url is not present in default.conf
Product: Red Hat Enterprise Linux 6 Reporter: Keenan Brock <kbrock>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: jpazdziora, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: certmonger-0.75.10-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:12:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Keenan Brock 2014-08-05 19:02:19 UTC
Description of problem:

I'm trying to run getcert with the -F option to download files.
If ipa is installed using ipa-client-install, the root cert can not be downloaded.

Turns out (thanks Nalin), ipa-client-install creates a /etc/ipa/default.conf without the ldap_uri. Once you add it into there (thanks again Nalin), this fixes.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. install ipa-client-install

export REALM=<realm of ipa server>

# register postgres service (you can do in the ipa ui if your prefer
kinit admin
ipa service-add --force postgres/`hostname`@$REALM

# request key, cert, and root-cert
mkdir /tmp/certs ; chcon -t cert_t /tmp/certs
getcert request -w -c IPA -v -f /tmp/certs/test.crt -k /tmp/certs/test.key -F /tmp/certs/test-root.crt -N "CN=`hostname`,O=$REALM" -K postgresql/`hostname`@$REALM

# final test
[ -f /tmp/certs/test-root.crt ] && echo "all works" || echo "no root cert file"

Actual results:

creates key and cert, but no root cert file

Expected results:

create key, cert, and root cert.

Additional info:

cat /etc/ipa/default.conf 

#File modified by ipa-client-install

basedn = dc=kbnet,dc=redhat,dc=com
domain = kbnet.redhat.com
server = ipaserver.kbnet.redhat.com
xmlrpc_uri = https://ipaserver.kbnet.redhat.com/ipa/xml
enable_ra = True

Comment 1 Nalin Dahyabhai 2014-08-05 19:16:50 UTC
Further troubleshooting turns up an "Unable to determine location of IPA LDAP server." error coming from the IPA enrollment helper when it's invoked with "CERTMONGER_OPERATION" set to "FETCH-ROOTS" in the environment.

If there's neither an "ldap_uri" nor a "host" set, we apparently need to fall back to constructing the LDAP server's URI using the "server" setting.

Comment 3 Kaleem 2014-08-07 08:41:42 UTC

certmonger version:
[root@rhel66-client1 ~]# rpm -q certmonger
[root@rhel66-client1 ~]#

[root@rhel66-client1 ~]# ipa-client-install --domain=testrelm.test --realm=TESTRELM.TEST  -p admin -w xxxxxxxx  --server=rhel66-master.testrelm.test -U
Hostname: rhel66-client1.testrelm.test
Client configuration complete.
[root@rhel66-client1 ~]# echo xxxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@rhel66-client1 ~]# export REALM=TESTRELM.TEST
[root@rhel66-client1 ~]# ipa service-add --force postgresql/`hostname`@$REALM
Added service "postgresql/rhel66-client1.testrelm.test@TESTRELM.TEST"
  Principal: postgresql/rhel66-client1.testrelm.test@TESTRELM.TEST
  Managed by: rhel66-client1.testrelm.test
[root@rhel66-client1 ~]# mkdir /tmp/certs ; chcon -t cert_t /tmp/certs
[root@rhel66-client1 ~]# getcert request -w -c IPA -v -f /tmp/certs/test.crt -k /tmp/certs/test.key -F /tmp/certs/test-root.crt -N "CN=`hostname`,O=$REALM" -K postgresql/`hostname`@$REALM
New signing request "20140807083022" added.
State GENERATING_KEY_PAIR, stuck: no.
State SUBMITTING, stuck: no.
State MONITORING, stuck: no.
[root@rhel66-client1 ~]# [ -f /tmp/certs/test-root.crt ] && echo "all works" || echo "no root cert file"
all works
[root@rhel66-client1 ~]#

Comment 4 errata-xmlrpc 2014-10-14 07:12:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.