Bug 1126985

Summary: ipa-submit helper fails if ldap_url is not present in default.conf
Product: Red Hat Enterprise Linux 6 Reporter: Keenan Brock <kbrock>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: jpazdziora, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.75.10-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:12:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Keenan Brock 2014-08-05 19:02:19 UTC 
Description of problem:

I'm trying to run getcert with the -F option to download files.
If ipa is installed using ipa-client-install, the root cert can not be downloaded.

Turns out (thanks Nalin), ipa-client-install creates a /etc/ipa/default.conf without the ldap_uri. Once you add it into there (thanks again Nalin), this fixes.

Version-Release number of selected component (if applicable):

certmonger-0.75.9

How reproducible:

always

Steps to Reproduce:
1. install ipa-client-install

export REALM=<realm of ipa server>

# register postgres service (you can do in the ipa ui if your prefer
kinit admin
ipa service-add --force postgres/`hostname`@$REALM

# request key, cert, and root-cert
mkdir /tmp/certs ; chcon -t cert_t /tmp/certs
getcert request -w -c IPA -v -f /tmp/certs/test.crt -k /tmp/certs/test.key -F /tmp/certs/test-root.crt -N "CN=`hostname`,O=$REALM" -K postgresql/`hostname`@$REALM

# final test
[ -f /tmp/certs/test-root.crt ] && echo "all works" || echo "no root cert file"

Actual results:

creates key and cert, but no root cert file

Expected results:

create key, cert, and root cert.

Additional info:

cat /etc/ipa/default.conf 

#File modified by ipa-client-install

[global]
basedn = dc=kbnet,dc=redhat,dc=com
realm = KBNET.REDHAT.COM
domain = kbnet.redhat.com
server = ipaserver.kbnet.redhat.com
xmlrpc_uri = https://ipaserver.kbnet.redhat.com/ipa/xml
enable_ra = True
Comment 1 Nalin Dahyabhai 2014-08-05 19:16:50 UTC 
Further troubleshooting turns up an "Unable to determine location of IPA LDAP server." error coming from the IPA enrollment helper when it's invoked with "CERTMONGER_OPERATION" set to "FETCH-ROOTS" in the environment.

If there's neither an "ldap_uri" nor a "host" set, we apparently need to fall back to constructing the LDAP server's URI using the "server" setting.
Comment 3 Kaleem 2014-08-07 08:41:42 UTC 
Verified.

certmonger version:
===================
[root@rhel66-client1 ~]# rpm -q certmonger
certmonger-0.75.10-1.el6.x86_64
[root@rhel66-client1 ~]#


[root@rhel66-client1 ~]# ipa-client-install --domain=testrelm.test --realm=TESTRELM.TEST  -p admin -w xxxxxxxx  --server=rhel66-master.testrelm.test -U
Hostname: rhel66-client1.testrelm.test
...
....
.....
Client configuration complete.
[root@rhel66-client1 ~]# echo xxxxxxxx|kinit admin
Password for admin@TESTRELM.TEST: 
[root@rhel66-client1 ~]# export REALM=TESTRELM.TEST
[root@rhel66-client1 ~]# ipa service-add --force postgresql/`hostname`@$REALM
---------------------------------------------------------------------
Added service "postgresql/rhel66-client1.testrelm.test@TESTRELM.TEST"
---------------------------------------------------------------------
  Principal: postgresql/rhel66-client1.testrelm.test@TESTRELM.TEST
  Managed by: rhel66-client1.testrelm.test
[root@rhel66-client1 ~]# mkdir /tmp/certs ; chcon -t cert_t /tmp/certs
[root@rhel66-client1 ~]# getcert request -w -c IPA -v -f /tmp/certs/test.crt -k /tmp/certs/test.key -F /tmp/certs/test-root.crt -N "CN=`hostname`,O=$REALM" -K postgresql/`hostname`@$REALM
New signing request "20140807083022" added.
State GENERATING_KEY_PAIR, stuck: no.
State SUBMITTING, stuck: no.
State NOTIFYING_ISSUED_SAVED, stuck: no.
State MONITORING, stuck: no.
[root@rhel66-client1 ~]# [ -f /tmp/certs/test-root.crt ] && echo "all works" || echo "no root cert file"
all works
[root@rhel66-client1 ~]#
Comment 4 errata-xmlrpc 2014-10-14 07:12:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1512.html