Bug 1269089
| Summary: | Certificate of managed-by host/service fails to resubmit | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Orel <jan.orel> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.1 | CC: | jcholast, ksiddiqu, pvoborni, rcritten, robert, sumenon, tscherf, vonsch | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.4.0-0.el7.1.alpha1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1408120 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-11-04 05:38:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Orel
2015-10-06 09:48:23 UTC
Created attachment 1081017 [details]
Patch: Remove hostname == CN check in cert_show
Removing check which does not work well in case that host is resubmitting
certificate of different host/service that he can manage.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5363 Please note that if this issue is fixed upstream it will most likely be a part of IdM in RHEL 7.3. Please open a support case if you want it backported to RHEL 7.1 or 7.2. According to https://fedorahosted.org/freeipa/ticket/5363#comment:4 it was fixed in 4.2 scope. Verified on RHEL73 using ipa-server-4.4.0-12.el7.x86_64 389-ds-base-1.3.5.10-11.el7.x86_64 certmonger-0.78.4-3.el7.x86_64 [root@master sssd]# mkdir -p /tmp/testhost [root@master sssd]# chcon -t cert_t /tmp/testhost/ [root@master sssd]# ipa-getcert request -k /tmp/testhost/testhost.key -f /tmp/testhost/testhost.cert -N testhost.test-relm.test -K host/testhost.test-relm.test New signing request "20160920115306" added. [root@master sssd]# ipa-getcert list -i 20160920115306 Number of certificates and requests being tracked: 9. Request ID '20160920115306': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/testhost/testhost.key' certificate: type=FILE,location='/tmp/testhost/testhost.cert' CA: IPA issuer: CN=Certificate Authority,O=TEST-RELM.TEST subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST expires: 2018-09-21 11:53:08 UTC principal name: host/testhost.test-relm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@master sssd]# ipa-getcert resubmit -i 20160920115306 Resubmitting "20160920115306" to "IPA". [root@master sssd]# ipa-getcert list -i 20160920115306 Number of certificates and requests being tracked: 9. Request ID '20160920115306': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/testhost/testhost.key' certificate: type=FILE,location='/tmp/testhost/testhost.cert' CA: IPA issuer: CN=Certificate Authority,O=TEST-RELM.TEST subject: CN=testhost.test-relm.test,O=TEST-RELM.TEST expires: 2018-09-21 11:56:25 UTC principal name: host/testhost.test-relm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html I need to re-open this because I can reproduce the issue with latest ipa-server on RHEL-6.8: # rpm -q ipa-server ipa-server-3.0.0-50.el6_8.3.x86_64 # ipa host-add rhtestwww.testrelm.test --ip-address 1.2.3.4 # ipa service-add HTTP/rhtestwww.testrelm.test # ipa host-add-managedby rhtestwww.testrelm.test --hosts `hostname` # ipa service-add-host "HTTP/rhtestwww.testrelm.test" --hosts `hostname` # mkdir /tmp/certs # chcon -t cert_t /tmp/certs # cd /tmp/certs # ipa-getcert request -k $PWD/rhtestwww.testrelm.test.key -f $PWD/rhtestwww.testrelm.test.crt -K "HTTP/rhtestwww.testrelm.test" -N "CN=rhtestwww.testrelm.test" -D "rhtestwww.testrelm.test" # getcert list -i 20161221153757 Number of certificates and requests being tracked: 2. Request ID '20161221153757': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key' certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST expires: 2018-12-22 15:37:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes # ipa-getcert resubmit -i 20161221153757 Resubmitting "20161221153757" to "IPA". # getcert list -i 20161221153757 Number of certificates and requests being tracked: 2. Request ID '20161221153757': status: MONITORING ca-error: Server at https://dell-m620-05.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command). stuck: no key pair storage: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.key' certificate: type=FILE,location='/tmp/certs/rhtestwww.testrelm.test.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=rhtestwww.testrelm.test,O=TESTRELM.TEST expires: 2018-12-22 15:37:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes When I enable ACI logging, I see a number of deny entries: # grep 11:09 /var/log/dirsrv/slapd-TESTRELM-TEST/errors|grep -i deny [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=24 op=6 (main): Deny read on entry(fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test).attr(krbPrincipalKey) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(54): aciname= "Password change service can read/write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny add on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny delete on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(NULL) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the subject by aci(53): aciname= "Admins can write passwords", acidn="dc=testrelm,dc=test" [21/Dec/2016:11:09:06 -0500] NSACLPlugin - conn=0 op=0 (main): Deny write on entry(krbprincipalname=http/rhtestwww.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test).attr(krbprincipalname) to fqdn=dell-per430-28.testrelm.test,cn=computers,cn=accounts,dc=testrelm,dc=test: no aci matched the resource [...] Just figured this BZ is for RHEL7. I will open a new BZ against RHEL6 and attach relevant data there. |