Bug 1327092

Summary: URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipaAssignee: Fraser Tweedale <ftweedal>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.2CC: cheimes, ekeck, ftweedal, jcholast, mkolaja, mkosek, ndehadra, pvoborni, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.3.1-0.201605191449GITf8edf37.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1337820 (view as bug list) Environment:
Last Closed: 2016-11-04 05:53:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1337820    
Attachments:
Description Flags
Observations 7.2.2,7.2.1 and 7.2GA none

Description Nikhil Dehadrai 2016-04-14 09:33:51 UTC 
Created attachment 1147087 [details]
Observations 7.2.2,7.2.1 and 7.2GA

Description of problem:
URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.6.x86_64

How reproducible:
Intermittent

Steps to Reproduce:
1. Configure IPA server with RHEL 7.2up2.
2. create temporary directory inside tmp. (mkdir /tmp/test)
3. cd /tmp/test
4. Execute following bash script. (Make sure you update the DOMAIN and MASTER as per your setup, in my case it is "testrelm.test" and respective ipa server hostname as MASTER).
5. BASH script:

###########Script start ##############

#!/bin/bash
echo "Secret123" | kinit admin
export MASTER=`hostname`
export DOMAIN=testrelm.test

echo '[ req ]
default_bits = 2048' > $MASTER-cert-req.conf
echo 'distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT' >> $MASTER-cert-req.conf

echo "CN = $MASTER" >> $MASTER-cert-req.conf

csrfile="$MASTER-cert-req.csr"

openssl req -new -config $MASTER-cert-req.conf -out $csrfile
outfile="ipa-functionalservices-ldap-010-output"
ipa cert-request --add --principal=EXAMPLE/`hostname` $csrfile > $outfile

export certnum=$(cat $outfile | grep Serial\ number: | sed s=\ \ =\ =g | cut -d\  -f4)
ipa cert-show $certnum --out=$MASTER.cert

expecteduri="http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin"
expectedocsp="http://ipa-ca.$DOMAIN/ca/ocsp"

openssl x509 -text -in $MASTER.cert

openssl x509 -text -in $MASTER.cert | grep URI | grep -v OCSP | grep $expecteduri
openssl x509 -text -in $MASTER.cert | grep URI | grep OCSP | grep $expectedocsp

#### Script END ##########

Actual results:
1. URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.
2. On executing command "openssl x509 -text -in $MASTER.cert" following OCSP URI details are found instead of expected value insside variables "expecteduri" and "expectedocsp".

OCSP - URI:http://apollo.testrelm.test:80/ca/ocsp

3. Refer attached console output log for 7.2.2, 7.2.1 and 7.2GA  using this script for reference.

Expected results:
The URI and OCSP-URI details should be correctly displayed when certificate is generated using IPA on RHEL 7.2up2.

Additional info:
1. When the same steps are tested for 7.2 GA and 7.2up1, the issue is not observed and URI and OCSP-URI details are available correctly.
Comment 2 Petr Vobornik 2016-04-14 11:07:10 UTC 
Btw, this does not happen upstream with ipa 4.3 and pki-ca-10.2.6-15.fc23

Fraser, could it be related to bug 1284803 or bug 1311468? I would say that it isn't.

Also we didn't to any CRL or OCSP related configuration in IPA in u2. To me it looks like a bug in PKI.

What do you think?
Comment 4 Petr Vobornik 2016-04-14 11:53:58 UTC 
what are the pki-ca versions?
Comment 5 Nikhil Dehadrai 2016-04-14 13:33:59 UTC 
Please find the pki-ca version details below:

1. RHEL 7.2.2 = pki-ca-10.2.5-6.el7.noarch
2. RHEL 7.2.1 = pki-ca-10.2.5-6.el7.noarch
3. RHEL 7.2GA = pki-ca-10.2.5-6.el7.noarch
Comment 6 Fraser Tweedale 2016-04-15 01:03:26 UTC 
Petr, I agree it is not unlikely to be related to those bugs.

There was an issue reported in freeipa-users recently with same or similar symptoms - the caIPAserverCert profile shipped with Dogtag somehow ended up
in LDAP instead of the version shipped with FreeIPA.  I need to investigate further.
Comment 7 Martin Kosek 2016-05-03 11:59:58 UTC 
Was there any result for the investigation?
Comment 8 Fraser Tweedale 2016-05-04 05:00:47 UTC 
I'm unable to reproduce; more information about how the IPA
server gets to this point is needed, e.g.:

- is it a clone or migration from another master?
- is it an upgrade from an earlier release?
- please attach IPA install logs (and IPA upgrade log, if applicable)

Thanks!
Comment 10 Petr Vobornik 2016-05-05 11:12:44 UTC 
Nikhil, do you have an estimate in what percentage of test runs this failure happen?
Comment 11 Nikhil Dehadrai 2016-05-05 11:34:33 UTC 
Hi Petr,

I have noticed this behavior in my upgrade tests related to 
1) 7.2up1 > 7.2up4 - (Noticed in Normal upgrade tests).
2) 7.2up2 > 7.2up4 - (Noticed in Normal upgrade tests).

and did not notice it in upgrade path 
1) 7.2GA > 7.2up4 - (Did not Notice in Normal upgrade tests)
2) 7.0.z > 7.2up4.- (Did not Notice in Normal upgrade tests)

So I would say, roughly 50% of my test runs.
Comment 12 Fraser Tweedale 2016-05-10 13:19:13 UTC 
Nikhil, can you please advise whether the affected installations are replicas or had replicas created from them?  If so, could you please precisely describe the
topology?

Does the problem occur in installations *without* clones?
Comment 13 Nikhil Dehadrai 2016-05-10 14:16:04 UTC 
Hi Fraser,

Yes the setup consisted of Master,Replica and Client (MRC topology). The issue was noticed on Master as well as Replica.

Let me know, if you want I can re-run the task and can provide access accordingly.
Comment 15 Jan Cholasta 2016-05-19 11:34:06 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5dad49688c5d87df979b926b9de6ab9a1e49becf
https://fedorahosted.org/freeipa/changeset/356f262fb7320345fd5f787c383912b9a2d77314
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c72993b02c761f2edbe163a1f6d0dbd7db8bd401
https://fedorahosted.org/freeipa/changeset/f116e51ce3d495758ff71f685b78d4848ce6708c
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/fc292f53640afcdd819739faba3245abddc04bf7
https://fedorahosted.org/freeipa/changeset/e9672b1a2b191a1622f18a57a2751e4db3e9e39d
Comment 21 Nikhil Dehadrai 2016-08-08 08:36:59 UTC 
Server build: ipa-server-4.4.0-3.el7.x86_64

Verified the bug on the basis of following steps:
1. Verified that on running the script on the IPA master URI and OCSP details are displayed correctly.
2. Verified that the script for both MASTER and REPLICA.

Thus on the basis of above observation, marking the status of bug to "VERIFIED-FIXED"
Comment 24 errata-xmlrpc 2016-11-04 05:53:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html