Bug 1284803
| Summary: | Default CA ACL rule is not created during ipa-replica-install | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.2 | CC: | ekeck, ftweedal, jcholast, jkurik, ksiddiqu, mkosek, mnavrati, pvoborni, rcritten |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-15.el7_2.2 | Doc Type: | Bug Fix |
| Doc Text: |
Included certificate profiles and CA ACLs were not added during replica installation. As a consequence, certificate issuance failed on Red Hat Enterprise Linux 7.2 IdM replicas created from IdM masters prior to 7.2. Now, certificate profiles and CA ACLs are in place. Additionally, the default CA ACL cannot be deleted. As a result, certificate profiles and CA ACLs are now added if missing when installing a replica regardless of the version of the IdM master. The default CA ACL, hosts_services_caIPAserviceCert, can no longer be deleted, only disabled.
|
Story Points: | --- |
| Clone Of: | 1283429 | Environment: | |
| Last Closed: | 2015-12-08 10:37:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1283429 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2015-11-24 09:37:34 UTC
Verified. CA ACL now added on migrated replica and getcert/cert-request are successful. IPA Version: ============ [root@vm-idm-006 ~]# rpm -q ipa-server pki-ca ipa-server-4.2.0-15.el7_2.2.x86_64 pki-ca-10.2.5-6.el7.noarch [root@vm-idm-006 ~]# Console output: ============== [root@vm-idm-006 ~]# mkdir /tmp/test1 [root@vm-idm-006 ~]# chcon -t cert_t /tmp/test1/ [root@vm-idm-006 ~]# ipa-getcert request -k /tmp/test1/test1.key -f /tmp/test1/test1.crt -I testing1 New signing request "testing1" added. [root@vm-idm-006 ~]# ipa-getcert list -i testing1 Number of certificates and requests being tracked: 9. Request ID 'testing1': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/test1/test1.key' certificate: type=FILE,location='/tmp/test1/test1.crt' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST expires: 2017-11-25 08:28:29 UTC dns: vm-idm-006.testrelm.test principal name: host/vm-idm-006.testrelm.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@vm-idm-006 ~]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all Profiles: caIPAserviceCert ---------------------------- Number of entries returned 1 ---------------------------- [root@vm-idm-006 ~]# [root@vm-idm-006 ~]# mkdir /tmp/cert-request-test/ [root@vm-idm-006 ~]# chcon -t cert_t /tmp/cert-request-test/ [root@vm-idm-006 ~]# openssl req -out /tmp/cert-request-test/request1.csr -new -newkey rsa:1024 -nodes -keyout /tmp/cert-request-test/request1.prv Generating a 1024 bit RSA private key ...........................................................++++++ ........++++++ writing new private key to '/tmp/cert-request-test/request1.prv' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:MH Locality Name (eg, city) [Default City]:PNQ Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:vm-idm-006.testrelm.test Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@vm-idm-006 ~]# ipa cert-request --principal=HTTP/`hostname` /tmp/cert-request-test/request1.csr Certificate: MIIDnTCCAoWgAwIBAgIED/8AAjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMTI1MDgzNjQ3WhcNMTcxMTI1MDgzNjQ3WjA7MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMSEwHwYDVQQDDBh2bS1pZG0tMDA2LnRlc3RyZWxtLnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM3+wGqxtz4KZm78wVeXygoyV1/Ow/AnHo+hSlXvCTsREw2wAUkbgq5n5eRji1xlH7PuedFBErylBMfsc0+RYIU8qqx4uaZ7j/40BOeF+mXDuWKnj0zWgTTtDdIBI6AJjhs4GcUtRO7JCQxZh+NgK0GudEheTMAeXA3Cm0jHNdIVAgMBAAGjggEuMIIBKjAfBgNVHSMEGDAWgBSQeJKwb6lT/hORS/QCh81/H0cxqjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU/lxK9aR6bMFWzTuLWBg1cdWsKIkwDQYJKoZIhvcNAQELBQADggEBALLSE5c42qIap2xRaQ9F3dsa+XHZYTeRabaYrK2j0laRgH6WYhcczgQHsWb4Z0qoXayTD747x3P8/BVw9Gcxi+4tGDcn3iwCf/LSHPNJKrdpXHUsJSmgtdPzPbsr6LWT9UYiuwkenV6LhRHoimnKg//NcS/hvrQlDKMajvwaVLwAdiqkhXQIujweOQUtWyelYTiuhYDsr+PpQXDFiDEZxpDR9OKMlnDlRozPdr/gjRqJ1rfgynP/S31P6fnZXxIMqeh6dH/lIOVpwJ6zUvwntpDNEnGQReV3gytmg/HW/6Kg2LcGqL16TKKC+1u0Mg2wjQAKJ58y4vU4naAIR0Jmlns= Subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed Nov 25 08:36:47 2015 UTC Not After: Sat Nov 25 08:36:47 2017 UTC Fingerprint (MD5): 8e:bd:6a:82:b5:7b:ba:85:a9:74:b7:83:48:24:48:ee Fingerprint (SHA1): ed:7b:4c:09:74:c9:6a:eb:91:b2:4b:52:bf:4b:7d:4c:ec:13:7a:07 Serial number: 268369922 Serial number (hex): 0xFFF0002 [root@vm-idm-006 ~]# [root@vm-idm-006 ~]# rpm -q ipa-server pki-ca ipa-server-4.2.0-15.el7_2.2.x86_64 pki-ca-10.2.5-6.el7.noarch [root@vm-idm-006 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2562.html |