Bug 1356101

Summary: Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install`
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: akasurde, ftweedal, lmiksik, mbabinsk, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:57:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
console.log none

Description Petr Vobornik 2016-07-13 12:08:52 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6019

After installing a replica, only the main CA cert is tracked by certmonger:
{{{
# getcert list | grep 'certificate:.*caSigningCert'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
}}}

One has to run `ipa-certupdate` for lightweight sub-CA certs to be tracked by certmonger as well:
{{{
# getcert list | grep 'certificate:.*caSigningCert'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
}}}

Fix `ipa-replica-install` to do this automatically.
Comment 1 Fraser Tweedale 2016-09-05 16:40:02 UTC 
Current behaviour: admins must manually run `ipa-certupdate' command
to add Certmonger tracking requests for lightweight CAs after deploying
a replica.

This ticket means they don't have to do that extra manual step.

Note that this ticket only applies to replica install.  Even if this
ticket is implemented, it will still be necessary for admins to
run `ipa-certupdate' to add tracking request after creating a new
lightweight CA.
Comment 3 Martin Babinsky 2016-09-06 10:13:14 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/08b768313020c45bfa82d67cd214afabf605f4b3
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/99b0db0ebf090c9f60078e9ca9bf2aba665635f5
Comment 5 Abhijeet Kasurde 2016-09-20 13:17:11 UTC 
Verified using IPA version ::
ipa-server-4.4.0-12.el7.x86_64

Please find the attachment for verification steps. Marking BZ as verified.
Comment 6 Abhijeet Kasurde 2016-09-20 13:17:36 UTC 
Created attachment 1202888 [details]
console.log
Comment 8 errata-xmlrpc 2016-11-04 05:57:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html