Bug 1284413
| Summary: | ipa-cacert-manage renew fails on nonexistent ldap connection | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Cholasta <jcholast> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.2 | CC: | ekeck, jkurik, ksiddiqu, mkosek, rcritten, xdong | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.2.0-16.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1284811 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 05:41:13 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1284811 | |||
|
Description
Jan Cholasta
2015-11-23 09:58:30 UTC
This is a regression in RHEL 7.2. High severity - functionality is not working any more. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5f2cfb5aa2c5ee4e7421090ec154f744ef2225c0 ipa-4-2: https://fedorahosted.org/freeipa/changeset/f043201ffdd3225fcd263dcc9a3a61768291a3f2 Verified on ipa-server-4.4.0-7.el7:
1.Install ipa with external CA
# ipa-server-install --setup-dns --forwarder=10.11.5.19 -r TESTRELM -a Secret123 -p Secret123 --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
.
.
.
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
2.Run ipa-cacert-manage renew --external-ca
# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful
3.Sign the CSR file with the external CA to get the renewed CA certificate
#cd /root/RootCA
# SERNUM=$(( SERNUM + 1 ))
# echo -e "y\n10\ny\n" | \
> certutil -C -d . \
> -c RootCA \
> -m $SERNUM \
> -v 60 \
> -2 \
> --keyUsage digitalSignature,nonRepudiation,certSigning \
> --nsCertType sslCA,smimeCA,objectSigningCA \
> -i /var/lib/ipa/ca.csr
> -o /root/ipa.crt \
> -f mypass1 \
> -a
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
4.Run ipa-cacert-manage renew, specify the renewed CA certificate and external CA certificate chain files in the --external-cert-file option
# ipa-cacert-manage renew --external-cert-file=/root/ipa.crt --external-cert-file=/root/ipacacert.asc
Importing the renewed CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |