Bug 1170003

Summary: RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Jan Cholasta <jcholast>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jcholast, mkosek, mnavrati, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-11.el7 Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: The ipa-cacert-manage tool always requests renewal of Certification Authority (CA) certificates previously issued by the IPA CA. CA certificates issued by an external CA cause the request to fail. As a consequence, if IPA CA was initially installed as a subordinate of an external CA, it is not possible to change the IPA CA certificate to self-signed using ipa-cacert-manage. There is no known workaround at the moment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:18:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168850    

Description Scott Poore 2014-12-03 00:35:54 UTC 
Description of problem:

I'm trying to change the CA cert for IPA from externally signed (by MS ADCS) to self-signed.  I'm getting "Record not found" errors for the cert request.

[root@rhel7-3 log]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141202205804', please check the request manually


[root@rhel7-3 log]# getcert list -i 20141202205804
Number of certificates and requests being tracked: 8.
Request ID '20141202205804':
	status: MONITORING
	ca-error: Server at "http://rhel7-3.example.com:8080/ca/ee/ca/profileSubmit" replied: Record not found
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='321598787049'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=subdom1-ADCS2-CA,DC=subdom1,DC=adroot2,DC=example,DC=com
	subject: CN=Certificate Authority,O=EXAMPLE.COM
	expires: 2016-11-11 01:22:59 UTC
	key usage: digitalSignature,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
# Note this requires a working MS ADCS server.

1.  Install IPA with externally signed CA cert

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-ca

# copy ipa.csr to ADCS server and sign and copy back

# also copy ADCS CA cert chain back as DER p7b file.

# openssl pkcs7 -print_certs -in /root/adcs2.p7b -inform DER -out /root/adcs2.pem

# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs2.pem 

2.  Renew CA and change chaining from external to self-signed.

ipa-cacert-manage renew --self-signed

3.  Update clientsige:

ipa-certupdate

Actual results:
failure listed above

Expected results:
No failure and CA cert changed from externally signed to self-signed.

Additional info:
Comment 2 Jan Cholasta 2014-12-03 05:41:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4784
Comment 5 Petr Vobornik 2014-12-09 12:18:27 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1f6fff2b5aea7f92e3321870ea59661b127ab50a
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7f1db9303e14fc7b3f505cf63d21544197ea6047
Comment 7 Scott Poore 2014-12-12 20:00:46 UTC 
Verified.

Version ::

ipa-server-4.1.0-12.el7.x86_64

Results ::

Reproducing the issue first:

[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
Error resubmitting certmonger request '20141212192131', please check the request manually

Then update to fixed version ::

[root@rhel7-3 ~]# yum update ipa-server
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
beaker-client                                                                   | 1.5 kB  00:00:00     
beaker-rhel-7.1-beta-optional                                                   | 3.8 kB  00:00:00     
beaker-rhel-7.1-beta-server                                                     | 4.1 kB  00:00:00     
spoore-r7                                                                       | 1.3 kB  00:00:00     
spoore-r7/primary                                                               | 6.4 kB  00:00:01     
spoore-r7                                                                                        10/10
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-server.x86_64 0:4.1.0-12.el7 will be an update
--> Processing Dependency: ipa-python = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-client = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Processing Dependency: ipa-admintools = 4.1.0-12.el7 for package: ipa-server-4.1.0-12.el7.x86_64
--> Running transaction check
---> Package ipa-admintools.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-admintools.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-client.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-client.x86_64 0:4.1.0-12.el7 will be an update
---> Package ipa-python.x86_64 0:4.1.0-10.el7 will be updated
---> Package ipa-python.x86_64 0:4.1.0-12.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                    Arch               Version                     Repository             Size
=======================================================================================================
Updating:
 ipa-server                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M
Updating for dependencies:
 ipa-admintools             x86_64             4.1.0-12.el7                spoore-r7              60 k
 ipa-client                 x86_64             4.1.0-12.el7                spoore-r7             191 k
 ipa-python                 x86_64             4.1.0-12.el7                spoore-r7             1.1 M

Transaction Summary
=======================================================================================================
Upgrade  1 Package (+3 Dependent packages)

Total download size: 2.4 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/4): ipa-client-4.1.0-12.el7.x86_64.rpm                                       | 191 kB  00:00:03     
(2/4): ipa-admintools-4.1.0-12.el7.x86_64.rpm                                   |  60 kB  00:00:05     
(3/4): ipa-python-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:24     
(4/4): ipa-server-4.1.0-12.el7.x86_64.rpm                                       | 1.1 MB  00:00:25     
-------------------------------------------------------------------------------------------------------
Total                                                                   82 kB/s | 2.4 MB  00:00:30     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : ipa-python-4.1.0-12.el7.x86_64                                                      1/8 
  Updating   : ipa-client-4.1.0-12.el7.x86_64                                                      2/8 
Could not load host key: /etc/ssh/ssh_host_dsa_key
  Updating   : ipa-admintools-4.1.0-12.el7.x86_64                                                  3/8 
  Updating   : ipa-server-4.1.0-12.el7.x86_64                                                      4/8 
  Cleanup    : ipa-server-4.1.0-10.el7.x86_64                                                      5/8 
  Cleanup    : ipa-admintools-4.1.0-10.el7.x86_64                                                  6/8 
  Cleanup    : ipa-client-4.1.0-10.el7.x86_64                                                      7/8 
  Cleanup    : ipa-python-4.1.0-10.el7.x86_64                                                      8/8 
beaker-rhel-7.1-beta-server/productid                                           | 1.6 kB  00:00:00     
  Verifying  : ipa-server-4.1.0-12.el7.x86_64                                                      1/8 
  Verifying  : ipa-python-4.1.0-12.el7.x86_64                                                      2/8 
  Verifying  : ipa-client-4.1.0-12.el7.x86_64                                                      3/8 
  Verifying  : ipa-admintools-4.1.0-12.el7.x86_64                                                  4/8 
  Verifying  : ipa-admintools-4.1.0-10.el7.x86_64                                                  5/8 
  Verifying  : ipa-server-4.1.0-10.el7.x86_64                                                      6/8 
  Verifying  : ipa-python-4.1.0-10.el7.x86_64                                                      7/8 
  Verifying  : ipa-client-4.1.0-10.el7.x86_64                                                      8/8 

Updated:
  ipa-server.x86_64 0:4.1.0-12.el7                                                                     

Dependency Updated:
  ipa-admintools.x86_64 0:4.1.0-12.el7                 ipa-client.x86_64 0:4.1.0-12.el7                
  ipa-python.x86_64 0:4.1.0-12.el7                    

Complete!

And see it work the second time:


[root@rhel7-3 ~]# ipa-cacert-manage renew --self-signed
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
Comment 9 errata-xmlrpc 2015-03-05 10:18:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html