Bug 1250093
| Summary: | ipa certprofile-import accepts invalid config | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ftweedal, jcholast, ksiddiqu, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-5.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:04:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1253045 | ||
| Bug Blocks: | |||
|
Description
Scott Poore
2015-08-04 13:46:06 UTC
This issue is fixed in Dogtag 10.2.6. Upstream ticket: https://fedorahosted.org/pki/ticket/1462 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5140 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4e18a62dd5adeb4bcb63aafc4bbe50d7a5c71b9c/ ipa-4-2: https://fedorahosted.org/freeipa/changeset/b01dc89967c73076c268e6bc3f1d604c3c04b221/ I'm not seeing pki 10.2.6 installed on RHEL7.2 box with ipa 4.2.0-5: [root@master log]# rpm -q ipa-server pki-ca ipa-server-4.2.0-5.el7.x86_64 pki-ca-10.2.5-5.el7.noarch And I'm still seeing the bad profile imported: [root@master ~]# cp /usr/share/ipa/profiles/caIPAserviceCert.cfg /tmp/bad_profile.cfg [root@master ~]# sed -i 's/profileId=.*$/profileId=bad_profile/' /tmp/bad_profile.cfg [root@master ~]# sed -i 's/desc=.*$/desc=My Bad Profile/' /tmp/bad_profile.cfg [root@master ~]# sed -i 's/^name=.*$/name=bad_profile/' /tmp/bad_profile.cfg [root@master ~]# ipa certprofile-import bad_profile --file=/tmp/bad_profile.cfg --store=False --desc="Bad Profile" ------------------------------ Imported profile "bad_profile" ------------------------------ Profile ID: bad_profile Profile description: Bad Profile Store issued certificates: FALSE Is this correct? pki-core-10.2.5-5.el7 is the correct pki-core version, but it does not contain the fix. My bad, let me sort it out. Also note that there are some "bad" profiles whose badness cannot be detected on import, e.g. if there are interpolations that reference nonexistant data. There are many possible errors that will not be detected at import time, but will cause certificate issuance to fail. The default profile template may be one such case of this. Only blatant syntax errors and certain bogus configuration will be detected at import time. Verified. Version :: ipa-server-4.2.0-8.el7.x86_64 Results :: [root@master ~]# ipa certprofile-show caIPAserviceCert --out=/tmp/default_profile.cfg --------------------------------------------------------------- Profile configuration stored in file '/tmp/default_profile.cfg' --------------------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@master ~]# cp /tmp/default_profile.cfg /tmp/profile_unknown_classid.cfg [root@master ~]# cp /tmp/default_profile.cfg /tmp/profile_invalid_list_value.cfg [root@master ~]# vi /tmp/profile_unknown_classid.cfg [root@master ~]# vim /tmp/profile_invalid_list_value.cfg [root@master ~]# diff /tmp/default_profile.cfg /tmp/profile_unknown_classid.cfg 6c6 < input.i1.class_id=certReqInputImpl --- > input.i1.class_id=certReqInputImplInvalid 108d107 < profileId=caIPAserviceCert [root@master ~]# diff /tmp/default_profile.cfg /tmp/profile_invalid_list_value.cfg 107,108c107 < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 < profileId=caIPAserviceCert --- > policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,99 [root@master ~]# ipa certprofile-import --store=False --desc=desc profile_unknown_classid --file=/tmp/profile_unknown_classid.cfg ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Invalid profile data [root@master ~]# ipa certprofile-import profile_invalid_list_value --store=False --desc=desc --file=/tmp/profile_invalid_list_value.cfg ipa: ERROR: Non-2xx response from CA REST API: 400 Bad Request. Invalid profile data Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |