| Summary: | ipa-cacert-manage renew self-signed CA to external CA cert fails | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Xiyang Dong <xdong> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | frenaud, jcholast, pvoborni, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 13:43:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Please post the output of the following command: # certutil -d /etc/pki/pki-tomcat/alias -L -n 'caSigningCert cert-pki-ca' [root@vm-idm-005 ~]# certutil -d /etc/pki/pki-tomcat/alias -L -n 'caSigningCert cert-pki-ca'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 404 (0x194)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=MyRootCA1,O=fakerealm1"
Validity:
Not Before: Tue Oct 25 15:16:13 2016
Not After : Mon Oct 25 15:16:13 2021
Subject: "CN=Certificate Authority,O=TESTRELM.TEST"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d0:84:6d:05:e0:62:4d:29:73:7b:c8:13:bb:41:93:c7:
3d:10:f0:e8:d5:25:3e:0c:06:4a:09:20:80:e9:65:a6:
c2:7f:b0:81:ea:3c:2b:07:53:32:8a:36:93:55:19:1b:
45:46:79:97:93:54:22:a9:71:a3:6f:7f:ad:12:fc:e5:
80:d0:17:25:46:e5:6c:77:15:1c:a9:53:ed:d1:f0:b4:
b1:80:57:ad:ce:11:7d:d3:1c:52:b5:77:fb:04:d7:1c:
0d:3d:de:03:9e:b5:b2:e1:3f:f1:cf:57:57:43:f6:04:
ad:d9:7e:e3:be:95:1c:fb:6f:ec:3b:33:8e:5a:81:0a:
2c:69:a2:28:04:80:f8:0e:b3:7e:f5:78:82:4d:78:a4:
b6:c0:67:4a:e8:92:87:be:f7:f9:03:9e:52:c2:34:02:
d5:10:af:b7:e4:41:ca:1f:09:70:00:d6:29:89:32:23:
2b:7a:c0:e0:3d:aa:98:da:ea:98:84:dc:11:62:e8:f2:
f1:b2:0b:82:9a:3d:c0:bf:f4:71:e3:7a:a3:ac:27:50:
db:9d:75:1f:ba:f9:ea:a0:24:7a:ce:32:f1:3e:4d:ef:
76:c2:02:18:1b:3d:fd:5d:87:1f:a9:18:1f:be:2e:ba:
0f:e0:f8:f7:9d:36:77:e1:ea:07:90:3c:4f:59:9c:b3
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: <SSL CA,S/MIME CA,ObjectSigning CA>
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with a maximum path length of 10.
Name: Certificate Key Usage
Usages: Digital Signature
Non-Repudiation
Certificate Signing
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
9d:32:ad:11:fa:44:72:24:fa:c1:39:62:07:d8:0d:77:
6a:aa:4c:a3:c5:92:d7:3c:ee:f6:7c:e3:24:59:be:c3:
68:58:a1:c2:fb:b9:c0:8f:05:38:79:d8:10:06:b6:ab:
97:d1:ca:37:04:2b:81:b2:71:14:46:b0:f7:a0:0f:4b:
d9:ac:91:0b:41:19:4d:3b:da:bd:1d:41:ed:82:be:af:
df:10:9b:4d:66:06:24:c6:b1:02:5f:29:8e:7a:5f:d0:
cf:56:b7:a1:1e:d0:b1:87:a1:a7:ee:a4:30:18:d8:52:
cf:13:e5:a6:97:ac:89:76:0e:f4:1d:4c:14:4c:86:e6:
1b:a4:d2:c9:45:dd:35:8d:96:2a:a1:b0:91:94:8d:02:
2e:97:b5:69:a2:ed:62:7e:7c:72:6f:f3:7e:1a:b5:20:
9d:fd:0c:3c:32:5f:49:ab:09:9d:e1:68:cd:3f:c0:66:
d7:17:ce:ce:99:9e:12:76:41:88:d0:0a:1c:15:e5:1d:
4d:9e:2d:da:09:c1:37:1e:d5:eb:7a:b6:d6:36:38:23:
c0:4e:df:a8:50:e5:a9:07:f3:34:10:c6:1d:79:ae:62:
36:42:0e:c8:21:64:17:7f:14:85:88:cf:98:ae:69:7c:
06:29:59:69:a6:3e:32:89:2f:e8:51:b4:ef:b3:7d:10
Fingerprint (SHA-256):
1E:2E:DB:CF:D2:FF:38:18:07:CE:8B:D5:4E:B7:89:BE:81:71:BE:E4:D1:E1:36:EA:CE:C6:C1:FA:90:B6:D7:98
Fingerprint (SHA1):
C2:0E:AB:E5:A9:27:D4:13:3B:2E:D1:97:CB:10:9D:2B:A6:A4:B6:8C
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=TESTRELM.TEST"
Validity:
Not Before: Tue Oct 25 13:58:14 2016
Not After : Sat Oct 25 13:58:14 2036
Subject: "CN=Certificate Authority,O=TESTRELM.TEST"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d0:84:6d:05:e0:62:4d:29:73:7b:c8:13:bb:41:93:c7:
3d:10:f0:e8:d5:25:3e:0c:06:4a:09:20:80:e9:65:a6:
c2:7f:b0:81:ea:3c:2b:07:53:32:8a:36:93:55:19:1b:
45:46:79:97:93:54:22:a9:71:a3:6f:7f:ad:12:fc:e5:
80:d0:17:25:46:e5:6c:77:15:1c:a9:53:ed:d1:f0:b4:
b1:80:57:ad:ce:11:7d:d3:1c:52:b5:77:fb:04:d7:1c:
0d:3d:de:03:9e:b5:b2:e1:3f:f1:cf:57:57:43:f6:04:
ad:d9:7e:e3:be:95:1c:fb:6f:ec:3b:33:8e:5a:81:0a:
2c:69:a2:28:04:80:f8:0e:b3:7e:f5:78:82:4d:78:a4:
b6:c0:67:4a:e8:92:87:be:f7:f9:03:9e:52:c2:34:02:
d5:10:af:b7:e4:41:ca:1f:09:70:00:d6:29:89:32:23:
2b:7a:c0:e0:3d:aa:98:da:ea:98:84:dc:11:62:e8:f2:
f1:b2:0b:82:9a:3d:c0:bf:f4:71:e3:7a:a3:ac:27:50:
db:9d:75:1f:ba:f9:ea:a0:24:7a:ce:32:f1:3e:4d:ef:
76:c2:02:18:1b:3d:fd:5d:87:1f:a9:18:1f:be:2e:ba:
0f:e0:f8:f7:9d:36:77:e1:ea:07:90:3c:4f:59:9c:b3
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
51:a7:51:8b:52:a7:f7:61:18:66:ef:22:87:6b:ec:19:
f7:e7:87:2c
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
Name: Certificate Subject Key ID
Data:
51:a7:51:8b:52:a7:f7:61:18:66:ef:22:87:6b:ec:19:
f7:e7:87:2c
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipa-ca.testrelm.test/ca/ocsp"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
06:db:f7:91:01:be:fe:b6:b5:3c:62:0f:24:62:f7:61:
a6:03:d9:cb:65:2b:97:c5:9b:b7:cb:68:b9:9f:68:b5:
4e:d3:c6:fb:20:ad:5f:ce:b5:12:fc:e7:00:be:ea:05:
32:2e:01:a1:a5:40:4b:3a:d7:32:a3:0d:2c:e0:61:47:
54:2c:af:ab:74:3a:a1:7b:ab:88:05:06:ea:5b:c3:22:
8f:04:2e:04:b7:15:f6:4e:3e:f2:0a:f9:1a:f5:9c:56:
35:e8:da:ee:5f:d2:1c:05:1e:06:1e:cc:47:30:84:4a:
73:3d:4d:f2:d6:3f:a2:2d:2a:f7:56:05:b7:10:81:a1:
84:f7:af:fe:a3:c1:7f:cd:4a:93:6a:56:70:1a:0e:c1:
4d:62:c3:c0:ed:a9:60:59:b8:e6:cb:86:6b:81:23:a0:
7a:d5:61:a9:ce:ea:f9:98:65:33:8a:e9:5c:98:6a:19:
b6:5d:0d:24:ec:c3:55:64:e8:5d:95:a8:67:29:f2:7a:
4d:57:dc:1a:e9:41:06:8d:78:38:25:57:68:0d:1c:a2:
36:6b:10:10:81:c0:a4:ad:1a:a1:56:d1:42:39:40:33:
24:58:32:2e:3f:62:d4:9f:7c:82:84:5f:75:fb:7c:c7:
dd:54:2e:5d:cf:b1:2a:56:00:db:84:6f:71:e8:86:74
Fingerprint (SHA-256):
87:A5:31:D5:0A:C2:FF:27:95:96:4F:F0:4D:05:41:0B:19:8B:10:5D:08:09:45:20:53:3D:92:E0:58:97:CB:87
Fingerprint (SHA1):
6E:05:A9:F9:9D:15:A6:FB:B8:42:38:88:61:CF:47:D2:78:F9:D3:71
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
So, it's actually renewed but not showing somehow?
I tried to run ipa-certupdate but it didn't help In answer to comment #5: Yes, the CA certificate is properly renewed, and put in the nss dbs (/etc/pki/pki-tomcat/alias /etc/httpd/alias and /etc/dirsrv/slapd-xxx) and in /etc/ipa/ca.crt. My guess is that certmonger doesn't know how to handle the 2 certificates with the same nickname/subject but with a different issuer. Well, my guess is that certmonger picks the cert which expires last, which in this case is the original cert, as it has validity period of 20 years, whereas the new cert has validity period of only 10 years, and thus expires earlier. Either way, this is not a bug, as ipa-cacert-manage did in fact not fail and properly renewed the cert. |
Description of problem: ipa-cacert-manage renew self-signed CA to external CA cert fails Version-Release number of selected component (if applicable): ipa-server-4.4.0-12.el7 How reproducible: Always Steps to Reproduce: 1.Install IPA with self signed cert 2.Check certs 3.ipa-cacert-manage renew --external-ca 4.Setup a clean NSS DB dir to work in 5.Create primary CA that is first in chain 6.Sign IPA SubCA Certificate Signing Request (ipa.csr) from ipa-server-install --external-ca 7.Get Signing CA Cert to include with IPA Install 8.Finish external CA renewal 9.Check certs Actual results: Certs didn't get renewed Expected results: Certs got renewed successfully Additional info: 1. [root@wolverine ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$(hostname) -r $RELM -n $DOMAIN -p $ADMINPW -a $ADMINPW -U . . . 2. [root@wolverine ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20161016144027': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2018-10-06 14:39:34 UTC Request ID '20161016144028': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:28 UTC Request ID '20161016144030': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:31 UTC Request ID '20161016144031': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2036-10-16 14:39:24 UTC Request ID '20161016144032': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2018-10-06 14:40:19 UTC Request ID '20161016144033': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-06 14:39:29 UTC Request ID '20161016144141': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:41:41 UTC Request ID '20161016144244': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:42:44 UTC 3. [root@wolverine ~]# ipa-cacert-manage renew --external-ca Exporting CA certificate signing request, please wait The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as: ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful 4. [root@wolverine ~]# mkdir /root/RootCA1 [root@wolverine ~]# cd /root/RootCA1 [root@wolverine RootCA1]# rm -f * [root@wolverine RootCA1]# echo Secret123 > mypass1 [root@wolverine RootCA1]# certutil -N -d . -f mypass1 5. [root@wolverine RootCA1]# echo -e "y\n10\ny\n" | \ > certutil -S -d . \ > -n RootCA1 \ > -s "CN=MyRootCA1, O=fakerealm1" \ > -x \ > -t "CTu,CTu,CTu" \ > -g 2048 \ > -m $RANDOM\ > -v 60 \ > -z /etc/group \ > -2 \ > --keyUsage certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -f mypass1 Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Notice: Trust flag u is set automatically if the private key is present. 6. [root@wolverine RootCA1]# echo -e "y\n10\ny\n" | \ > certutil -C -d . \ > -c RootCA1 \ > -m $RANDOM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /var/lib/ipa/ca.csr \ > -o /root/ca.crt \ > -f mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? 7. [root@wolverine RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc 8. [root@wolverine RootCA1]# cd /root [root@wolverine ~]# ipa-cacert-manage renew \ > --external-cert-file=/root/ca.crt \ > --external-cert-file=/root/RootCA1_chain.asc Importing the renewed CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful 9. [root@wolverine ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20161016144027': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2018-10-06 14:39:34 UTC Request ID '20161016144028': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:28 UTC Request ID '20161016144030': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:31 UTC Request ID '20161016144031': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2036-10-16 14:39:24 UTC Request ID '20161016144032': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2018-10-06 14:40:19 UTC Request ID '20161016144033': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-06 14:39:29 UTC Request ID '20161016144141': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:41:41 UTC Request ID '20161016144244': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:42:44 UTC