Bug 1253009

Summary: error message shown in /var/log/message even with successful request
Product: Red Hat Enterprise Linux 8 Reporter: Kaleem <ksiddiqu>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: medium    
Version: ---CC: asakure, mkosek, myusuf, ndehadra, nsoman, pcech, pvoborni, rcritten, ssidhaye
Target Milestone: rcKeywords: TestCaseNeeded, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.79.13-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1969854 (view as bug list) Environment:
Last Closed: 2021-05-18 15:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1969854    

Description Kaleem 2015-08-12 17:34:52 UTC 
Description of problem:
Error message "Error reading request, expected PKCS7 data." shown in /var/log/message even with successful request.

Version-Release number of selected component (if applicable):
[root@qe-blade-01 ~]# rpm -q certmonger
certmonger-0.78.4-1.el7.x86_64
[root@qe-blade-01 ~]#

How reproducible:
Always

Steps to Reproduce:
[root@dhcp207-62 ~]# getcert request -c scepca -k /root/sceptest/newkey.prv -f /root/sceptest/newcert.cer -I newtest -L EA90FEF73AD5DA5A203F590AC1428CCC
New signing request "newtest" added.
[root@dhcp207-62 ~]# getcert list -i newtest
Number of certificates and requests being tracked: 1.
Request ID 'newtest':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/root/sceptest/newkey.prv'
	certificate: type=FILE,location='/root/sceptest/newcert.cer'
	signing request thumbprint (MD5): AC1F5B97 3D75C9D5 AE743029 B3C99D12
	signing request thumbprint (SHA1): A7E31396 8A12D3F0 709A2FA3 54166305 FD697FF7
	CA: scepca
	issuer: CN=sceptest-SCEPTEST-CA,DC=sceptest,DC=qe
	subject: CN=dhcp207-62.testrelm.test
	expires: 2017-08-11 10:29:55 UTC
	dns: dhcp207-62.testrelm.test
	key usage: digitalSignature,keyEncipherment
	eku: iso.org.dod.internet.security.mechanisms.8.2.2
	certificate template/profile: IPSECIntermediateOffline
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@dhcp207-62 ~]# tail -n 5 /var/log/messages 
Aug 12 18:45:35 dhcp207-62 certmonger: 2015-08-12 18:45:35 [24318] Error reading request, expected PKCS7 data.
Aug 12 18:45:35 dhcp207-62 certmonger: Certificate in file "/root/sceptest/newcert.cer" issued by CA and saved.
[root@dhcp207-62 ~]# 

Actual results:
error message in /var/log/message for successful request

Expected results:
No error message in /var/log/message for successful requests
Comment 9 Florence Blanc-Renaud 2020-02-27 09:45:06 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.
Comment 14 Rob Crittenden 2020-10-06 17:07:28 UTC 
Upstream PR https://pagure.io/certmonger/pull-request/170
Comment 15 Rob Crittenden 2020-10-20 19:23:59 UTC 
Fixed in upstream master:

8a4778325f6c7ed030e203308a145c193c48c4b4
Comment 22 Sumedh Sidhaye 2020-12-21 05:15:58 UTC 
[root@ci-vm-10-0-138-33 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
[root@ci-vm-10-0-138-33 ~]# rpm -q certmonger ipa-server
certmonger-0.79.13-2.el8.x86_64
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
[root@ci-vm-10-0-138-33 ~]# /usr/libexec/certmonger/scep-submit -u http://interop.redwax.eu/test/simple/scep -C > /etc/pki/tls/certs/rw.crt
[root@ci-vm-10-0-138-33 ~]# getcert add-scep-ca -c scep-ca -u http://interop.redwax.eu/test/simple/scep -I /etc/pki/tls/certs/rw.crt
New CA "scep-ca" added.
[root@ci-vm-10-0-138-33 ~]# getcert list-cas -c scep-ca
CA 'scep-ca':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/scep-submit -u http://interop.redwax.eu/test/simple/scep       -I /etc/pki/tls/certs/rw.crt   
	SCEP CA certificate thumbprint (MD5): 9B3BB9A9 0EFDCDB9 3434F633 54240F40
	SCEP CA certificate thumbprint (SHA1): 14AC57D3 5562DA67 0490F9C1 A76696BE 1162B5AA
[root@ci-vm-10-0-138-33 ~]# getcert request -f /etc/pki/tls/certs/test.example.com.cert -k /etc/pki/tls/private/test.example.com.key -c "scep-ca" -I test.example.com -D test.example.com -G rsa -g 2048 -u digitalSignature -u keyEncipherment -L challenge
New signing request "test.example.com" added.
[root@ci-vm-10-0-138-33 ~]# 
[root@ci-vm-10-0-138-33 ~]# getcert list -i test.example.com
Number of certificates and requests being tracked: 10.
Request ID 'test.example.com':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/test.example.com.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/test.example.com.cert'
	signing request thumbprint (MD5): E4BFE917 ABF389F2 5D1BAC12 7262881C
	signing request thumbprint (SHA1): 2BA4C099 69ACCA09 46054399 8E8AE4E4 5C921A71
	CA: scep-ca
	issuer: O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
	subject: CN=ci-vm-10-0-138-33.hosted.upshift.rdu2.redhat.com
	expires: 2020-12-22 00:13:29 EST
	key usage: digitalSignature,nonRepudiation,keyEncipherment
	eku: id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@ci-vm-10-0-138-33 ~]# tail -n 5 /var/log/messages 
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: E4tbS+xSWHxfhjonLEk6H5sZwFu8hJeV
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: -----END PKCS7-----
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: " for child.
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: 2020-12-21 00:13:32 [12885] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/scep-submit".
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: 2020-12-21 00:13:32 [12885] Running enrollment helper "/usr/libexec/certmonger/scep-submit".
[root@ci-vm-10-0-138-33 ~]# tail -n 15 /var/log/messages 
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: DgQWBBThFnDZ68RThniyYwmDTEQzZEhSJDAOBgNVHQ8BAf8EBAMCBeAwEwYDVR0l
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAOGK0hL4+g3wYsvp6vvv
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: GonX6sw8OyJhlsDkmmfLV1ZOvTqVXiElxNTu6XNjsiwc/3AeG/Tq/2OPR7ozs5Ah
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: xSplD1RqaY9i8BLEbJIErhuYgF28Y9+1YxLehYRGnXnjv5J5ec52KK+k1Js5Uu4n
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: dPmWKH/GQINhXyN1ejLBjJrsCMAeNcliiCL6YEhZw3kJnt0JAtPo5OzWSSO/lIM6
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: w3HquyAH6M/qRQTCJ2LpSpm8fHeS7IaLCqdVPuKPh/NCiv7DhwS4bV0EbCxXz5UQ
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: +JxU1GcMUpaGss7ctRD9bC7alwGNXtdvHhXdDzfEW1IS2lb3DZTSfrY6JC2i463h
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: Ieg=
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: -----END CERTIFICATE-----
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: ".
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: 2020-12-21 00:13:32 [10641] Certificate issued (0 chain certificates, 0 roots).
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: 2020-12-21 00:13:32 [10641] No hooks set for pre-save command.
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[12891]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[10641]: 2020-12-21 00:13:32 [10641] No hooks set for post-save command.
Dec 21 00:13:32 ci-vm-10-0-138-33 certmonger[12892]: Certificate in file "/etc/pki/tls/certs/test.example.com.cert" issued by CA and saved.
Comment 27 errata-xmlrpc 2021-05-18 15:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (certmonger bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1851