Bug 1325798
| Summary: | pki-tools in RHEL7 repo doesn't allow RHCS cert signing | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Samuel Paulovic <jpaulovi> | ||||
| Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | alee, cfu, edewata, gkapoor, jmagne, nkinder | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 7.3 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.3.1-1.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 05:23:53 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Changed back to POST per CS Bug Triage of 04/19/2016. Setup:
------
1. Create template of existing profile.
pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-profile-show caDirUserCert --output user1.xml
pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-profile-show caUserCert --output user.xml
2. Create key/csr request.
openssl genrsa 4096 > test.key
openssl req -new -key test.key -out test.csr
3. Include below mentioned fiels in the templates of profile i.e user.xml and user1.xml (Attached copy of both xml for future use)
user.xml:
cert_request_type = pkcs10
cert_request = your copied CSR output
subject =
User1.xml:
cert_request_type = pkcs10
cert_request = your copied CSR output
sn_cert_name = the custom name that got you into this mess to begin with
4. Create ldap users so that it can be verified using username/password.
dn: uid=ldapuser2,ou=people,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid:ldapuser2
cn: Test User
sn: User
givenName: Test
userPassword: Secret123%_test
5. Edit ca CS.cfg. Stop the CA seive first using systemctl stop pki-tomcatd
-- Edit below entries in CS.cfg
auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=org
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki1.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=3389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
-- start CA service .systemctl start pki-tomcatd
6. output should say :
Valid Ldap entry:
-----------------
pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_test
Password:
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 79
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x43
Test Case 1: For valid ldapuser entry
-------------
[root@pki1 test_dir]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_test
Password:
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 79
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x43
Test Case 2: Invalid ldap user entry
------------
[root@pki1 test_dir]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt
Password:
UnauthorizedException: Invalid Credential
Test Case 3: Remove LDAP setting added in step 5. Make sure no more authentication happens now.
-----------
pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt
Password:
PKIException: Property auths.instance.UserDirEnrollment.ldap.ldapconn.host missing value
Test Case 4: Lif LDAP instance is not reachable/down
------------
pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit user1.xml --username ldapuser2 --password Secret123_testt
Password:
PKIException: Could not connect to LDAP server host pki1.example.com port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://pki1.example.com:389 (91)
Reference:
https://mojo.redhat.com/docs/DOC-959077
http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles
Created attachment 1182446 [details]
Xml_files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |
Description of problem: The package pki-tools available from RHEL7 repo rhel-7-server-rhcmsys-9-rpms is only in version 10.2.6-8.el7pki, but it doesn't work because it does not support option to authenticate (--username and --password) in the cert-request-submit module, so the server replies with Unauthorized status and fails. On Fedora 23 with version 10.2.6-16.fc23 it works fine. The solution would be to make a newer version of pki-tools available in RHEL7 repos. Thanks. Version-Release number of selected component (if applicable): pki-tools-10.2.6-8.el7pki.x86_64 How reproducible: Run 'pki -v -C ~/.pki.password -U server_URL cert-request-submit user.xml --username $USERNAME --password' where user.xml is the certificate request to be signed. Steps to Reproduce: 1. Run 'pki -v -C ~/.pki.password -U server_URL cert-request-submit user.xml --username $USERNAME --password' Actual results: Get an error response from server: Server URI: server_URI Client security database: /home/username/.dogtag/nssdb Message format: null Command: cert-request-submit request.xml --username username --password Initializing client security database Logging into security token Module: cert Module: request-submit Error: Unrecognized option: --username usage: cert-request-submit <filename> [OPTIONS...] --help Show help options Expected results: Get this status: ----------------------------- Submitted certificate request ----------------------------- and then receive a confirmation email. Additional info: