Bug 1271195

Summary: incorrect error message at crlutil failure
Product: [Fedora] Fedora Reporter: Oleg Fayans <ofayans>
Component: nss-utilAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: amarecek, emaldona, kengert, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:12:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
some auxiliary env variables
none
the script that reproduces the issue none

Description Oleg Fayans 2015-10-13 11:15:42 UTC
Created attachment 1082350 [details]
some auxiliary env variables

Description of problem:
When I am trying to revoke a certificate using crtutil, in some cases crtutil throws the following error:

crlgen: (line: 1) entry already exists. Use "range" and "rmcert" before adding a new one with the same serial number 10
crlutil: crl generation failed: error 0: Success


Version-Release number of selected component (if applicable):

nss-tools-3.20.0-1.0.fc22.x86_64

How reproducible:

Sometimes

Steps to Reproduce:
1. Download attached env file and caless-create-pki.sh script
2. source env
3. ./caless-create-pki.sh
4. After the script finishes it's work, issue the following command:

for i in `certutil -L -d nssdb | awk '{print $1}'` ; do certutil -D -d nssdb -n $i ; done

5. run ./caless-create-pki.sh again

Actual results:

++ awk '/^\s+Serial Number: / { print $3 }'
+ serial=10
+ crlutil -M -d nssdb -n ca1 -c /dev/stdin -f /tmp/tmp.E1xXRAcCkb -o nssdb/ca1.crl
++ date -u +%Y%m%d%H%M%SZ
crlgen: (line: 1) entry already exists. Use "range" and "rmcert" before adding a new one with the same serial number 10
crlutil: crl generation failed: error 0: Success

Expected results:

The script should succeed

Additional info:

Comment 1 Oleg Fayans 2015-10-13 11:16:21 UTC
Created attachment 1082351 [details]
the script that reproduces the issue

Comment 2 Fedora End Of Life 2016-07-19 18:12:19 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.