Bug 1283324

Summary: manual renew self-signed CA cert to external CA cert fails
Product: Red Hat Enterprise Linux 7 Reporter: Xiyang Dong <xdong>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-24 16:57:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xiyang Dong 2015-11-18 17:32:01 UTC 
Description of problem:
manual renew self-signed CA cert to external CA cert fails with no context.ldap2 in thread 'MainThread'

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6

How reproducible:
Always

Steps to Reproduce:
1.install ipa with self-signed ca cert
2.manual renew ca with option to change to external ca

Actual results:
renew fails

Expected results:
renew succeeds

Additional info:
[root@qe-blade-01 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful
[root@qe-blade-01 ~]# mkdir /root/RootCA1
[root@qe-blade-01 ~]# cd /root/RootCA1
[root@qe-blade-01 RootCA1]# rm  -f *
[root@qe-blade-01 RootCA1]# echo Secret123 > mypass1
[root@qe-blade-01 RootCA1]# certutil -N -d . -f mypass1
[root@qe-blade-01 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -S -d . \
>     -n RootCA1 \
>     -s "CN=MyRootCA1, O=fakerealm1" \
>     -x \
>     -t "CTu,CTu,CTu" \
>     -g 2048 \
>     -m $RANDOM\
>     -v 60 \
>     -z /etc/group \
>     -2 \
>     --keyUsage certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -f mypass1


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Notice: Trust flag u is set automatically if the private key is present.
[root@qe-blade-01 RootCA1]# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
>     -c RootCA1 \
>     -m $RANDOM \
>     -v 60 \
>     -2 \
>     --keyUsage digitalSignature,nonRepudiation,certSigning \
>     --nsCertType sslCA,smimeCA,objectSigningCA \
>     -i /var/lib/ipa/ca.csr \
>     -o /root/ca.crt \
>     -f mypass1 \
>     -a 
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
[root@qe-blade-01 RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc
[root@qe-blade-01 RootCA1]# cd  /root
[root@qe-blade-01 ~]# getcert list -n 'caSigningCert cert-pki-ca'| grep expires
	expires: 2035-11-18 15:15:35 UTC
[root@qe-blade-01 ~]# ipa-cacert-manage renew \
>     --external-cert-file=/root/ca.crt \
>     --external-cert-file=/root/RootCA1_chain.asc
Directory Manager password: 

Importing the renewed CA certificate, please wait
no context.ldap2_62808656 in thread 'MainThread'
[root@qe-blade-01 ~]# getcert list -n 'caSigningCert cert-pki-ca'| grep expires
	expires: 2035-11-18 15:15:35 UTC
Comment 2 Xiyang Dong 2015-11-24 16:57:17 UTC 

*** This bug has been marked as a duplicate of bug 1284811 ***