Bug 1283429
| Summary: | Default CA ACL rule is not created during ipa-replica-install | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> | |
| Component: | ipa | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.2 | CC: | akasurde, ekeck, jcholast, jkurik, ksiddiqu, mkosek, rcritten | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.2.0-16.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1284803 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 05:40:31 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1284803 | |||
|
Description
Petr Vobornik
2015-11-18 23:16:19 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5269 Ticket 5269 fixed upstream master: https://fedorahosted.org/freeipa/changeset/2be8d2d068557631813607d84bb03c91fbeaaf80 https://fedorahosted.org/freeipa/changeset/5136cd6e4bd305d6f4b6bf22d22fb4abc365cfad ipa-4-2: https://fedorahosted.org/freeipa/changeset/1874ccf13fdcafca0a35f58b058756018851b13e https://fedorahosted.org/freeipa/changeset/a8a666416201a7a7d6739f60854c5e5223b9ceb5 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6fe0a898077a74924b6ccaf6dfbaf2d166175722 https://fedorahosted.org/freeipa/changeset/620036d26e98fdcefff00168e9e5463a8257d49c ipa-4-2: https://fedorahosted.org/freeipa/changeset/3cb79337d971653b90bbc99e433e4b3d3ac37579 https://fedorahosted.org/freeipa/changeset/a2371f38e4fb027aeacaf0ab6f2b35ae49fa41ea Fixed upstream master: https://fedorahosted.org/freeipa/changeset/341406d16540b1edc0d2792fe2cd9db75590f88e ipa-4-2: https://fedorahosted.org/freeipa/changeset/0f39612730448993190b07708ad4c4956b214a81 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ed830af693c596b286b30959eb3166b59cc030c6 ipa-4-2: https://fedorahosted.org/freeipa/changeset/c5faaede276f3052517ddf86e64cb228e95dca2a Verified. CA ACL now added on migrated replica and getcert / cert-request are successful. Verified using IPA version :: ipa-server-4.4.0-5.el7.x86_64 Steps :: [root@ipamasterbz1283429 /]# date Tue Aug 9 12:25:38 IST 2016 [root@ipamasterbz1283429 /]# rpm -q ipa-server pki-ca ipa-server-4.4.0-5.el7.x86_64 pki-ca-10.3.3-3.el7.noarch [root@ipamasterbz1283429 /]# mkdir /tmp/test1 [root@ipamasterbz1283429 /]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1 New signing request "testing1" added. [root@ipamasterbz1283429 /]# ipa-getcert list -i testing1 Number of certificates and requests being tracked: 9. Request ID 'testing1': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/test1/test1.key' certificate: type=FILE,location='/tmp/test1/test1.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST expires: 2018-08-10 06:56:10 UTC dns: ipamasterbz1283429.testrelm.test principal name: host/ipamasterbz1283429.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@ipamasterbz1283429 /]# echo Secret123 | kinit admin Password for admin: [root@ipamasterbz1283429 /]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all ---------------------------- Number of entries returned 1 ---------------------------- [root@ipamasterbz1283429 /]# mkdir /tmp/cert-request-test/ [root@ipamasterbz1283429 /]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv Generating a 1024 bit RSA private key ...++++++ ..............++++++ writing new private key to '/tmp/cert-request-test/request1.prv' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PUNE Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:ipamasterbz1283429.testrelm.test Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@ipamasterbz1283429 /]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr Certificate: MIIDojCCAoqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwODA5MDY1NzUyWhcNMTgwODEwMDY1NzUyWjBDMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSkwJwYDVQQDDCBpcGFtYXN0ZXJiejEyODM0MjkudGVzdHJlbG0udGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA33FLFQEWkzd5VF5eF8sZdOGpM+6sRNBQ8cHDOQsihs9GM7DxDnmYZA2JbU3jQVFpeQGvdATIOc4GKJ9darXMyQ60+UUGTRHPVNRHUsNIdUtj11kjy57xDsY+QplsKPjbfYh3VX2v4cUFxPg6mZT9H9Gt99kSmOpAeKorvpEq1tcCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFNfbGZJDtZ9iMt47CtUPSkTiyGWMMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYSscmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTrNw6nCnqrPk1HpE7OmVSsi/lVZDANBgkqhkiG9w0BAQsFAAOCAQEAlmFls7ZUuX5kSmj/gWH6yIIZEy7iyZmD5bIpwCouHixAUN6V7CuiB+8RynsjnGxJAsQexwcd8QF8iyoXWrF4OPfR11Pv7eevHlq6vsa0LxyJpEJdWpqBH0+Ltq3gFladsF2ZBwGy+ayfVxLqE9E8MBoyxVZkALxqYOYD9nwBe5UoVcYk841fn11BBkKUUWtT3YlAj4hLVgn+2xObDuo5uVZ4FkQDL5vNy9IgsLwFdLguy6nhWeoptyBfcwgD9QoVpV4FKF3H6aGtX0a79SZzxX6XTp5+fexBb+NlFnbgnSQQ1Xw1QRAc58eLQavN2gFaS3FKR8DmJ1JMPKVoAhwOJg== Subject: CN=ipamasterbz1283429.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Tue Aug 09 06:57:52 2016 UTC Not After: Fri Aug 10 06:57:52 2018 UTC Fingerprint (MD5): 28:d2:19:c5:75:51:ec:2c:3d:d5:e8:f6:65:ca:d6:10 Fingerprint (SHA1): ec:19:a2:ac:a1:db:0b:6e:86:52:f8:93:09:96:01:3e:7f:1f:45:79 Serial number: 12 Serial number (hex): 0xC Marking BZ as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |